How to Make Sure Your Passwords Haven't Been Stolen
One of the best things about having a solid password is that you don’t have to change it. If it’s strong, unique, and hasn’t been compromised by an attacker, you gain no security benefits by modifying it according to some arbitrary timetable. Just let it be.
What you should be tracking is whether any of your passwords have been compromised on one of the many data breaches you’ve probably experienced recently—or ever. Obviously, when that happens, changing your affected password should be a top priority. But a lot of people don’t do this. According to the latest research from Google:
“...we implement a cloud service that mediates access to over 4 billion credentials found in breaches and a Chrome extension serving as an initial client. Based on anonymous telemetry from nearly 670,000 users and 21 million logins, we find that 1.5%% of logins on the web involve breached credentials. By alerting users to this breach status, 26%% of our warnings result in users migrating to a new password, at least as strong as the original.”
I’m not sure why a person wouldn’t change their password when they find out it was compromised, but maybe the message isn’t clear enough. Worse, imagine all the compromised passwords people aren’t checking—you aren’t going to change that which you don’t perceive to be broken, after all.
While the first part of that paragraph is completely on you, we can help out with the second half. There are plenty of tools you can use (free or paid) to alert you that it might be time to change your password. Here are a few of our favorites—please pick one, or many, to use right now.
Google’s Password Checkup extension
If you’re a Chrome fan—most people are—consider installing Google’s Password Checkup extension. It’ll sit in the background of your browser and do nothing of importance until you go to log into a website. When you do, it’ll check to see if your account credentials have been previously leaked in a data breach. If so, it’ll let you know that it’s time to change your password, and you should definitely take it up on its advice.
And, no, this extension isn’t going to reveal your passwords by checking them. As Google writes:
“We designed Password Checkup with privacy-preserving technologies to never reveal this personal information to Google. We also designed Password Checkup to prevent an attacker from abusing Password Checkup to reveal unsafe usernames and passwords. Finally, all statistics reported by the extension are anonymous. These metrics include the number of lookups that surface an unsafe credential, whether an alert leads to a password change, and the web domain involved for improving site compatibility.”
Have I Been Pwned
This one’s even easier. Send your email address over to Have I Been Pwned via the site’s “notify me” feature, and you’ll get a warning whenever your email address (and anything associated with it) appears in a breach. There’s no reason to not use this free service, unless you’re mysterious and use a different email address for multiple services. If so, consider using a third-party service like Badrap to check multiple accounts against Have I Been Pwned’s database.
And we almost don’t need to say it, but we’re going to say it: When you get an email that your account was involved in a breach, please go change your password for that service. Make it a unique password; make it a strong password. And change that password on other services if you’ve been lazy and used the same password for everything.