Many websites have leaked passwords. Attackers can download databases of usernames and passwords and use them to “hack” your accounts. This is why you shouldn’t reuse passwords for important websites, because a leak by one site can give attackers everything they need to sign into other accounts.
Have I Been Pwned?
Troy Hunt’s Have I Been Pwned website maintains a database of username and password combinations from public leaks. These are taken from publicly available breaches that can be found via various sites on the web, or dark web. This database just makes it easier to check them yourself without visiting the sketchier parts of the web.
To use this tool, head to the main Have I Been Pwned? page and search for a username or email address. The results tell you whether your username or email address has ever appeared in a leaked database. Repeat this process to check multiple email addresses or usernames. You’ll see which leaked password dumps your email address or username appears in, which in turn gives you information about passwords that might have been compromised.
If you want to get an email notification should your email address or username appear in a future leak, click the “Notify me” link at the top of the page and enter your email address.
You can also search for a password to see whether it has ever appeared in a leak. Head to the Pwned Passwords page on the Have I Been Pwned? website, type a password in the box, and then click the “pwned?” button. You’ll see whether the password is in one of these databases and how many times it’s been seen. Repeat this as many times as you like to check additional passwords.
Warning: We strongly recommend against typing your password on third-party websites that ask you for it. These can be used to steal your password if the website isn’t honest. We recommend you only use the Have I Been Pwned? site, which is widely trusted and explains how your password is protected. In fact, popular password manager 1Password now has a button that uses the same API as the website, so they’ll send hashed copies of your passwords to this service, too. If you want to check whether your password has been leaked, this is the service you should do it with.
If an important password you use has been leaked, we recommend changing it immediately. You should use a password manager so it’s easy to set strong, unique passwords for each important site you use. Two-factor authentication can also help protect your critical accounts, as it will prevent attacks from getting into them without an additional security code—even if they know the password.
LastPass has a similar feature integrated into its Security Challenge. To access it from a LastPass browser extension, click the LastPass icon on your browser’s toolbar, and then select More Options > Security Challenge.
LastPass finds a list of email addresses in your database and asks if you want to check whether they’ve ever appeared in any leaks. If you agree, LastPass checks them against a database and sends information about any leaks to them via email.
LastPass also offers a view of “Compromised” passwords here. This list shows you which websites have had security breaches since you’ve last changed your password on them, which means your password potentially could have leaked. It’s a good idea to change the passwords of any sites that appear here.
The web-based version of the 1Password password manager can now check whether your passwords have been leaked, too. In fact, 1Password uses the same Have I Been Pwned? service we covered above. It has an integrated “Check Password” button that automatically submits the password to the service and provides a response. In other words, it works the same way as using the Have I Been Pwned? website.
If you’re a 1Password user, you can take advantage of this service by signing into your account on 1Password.com. Click “Open Vault” and then click one of your accounts. Press Shift+Control+Option+C on a Mac or Shift+Ctrl+Alt+C on Windows, and you’ll see a “Check Password” button that checks if your password appears in the Have I Been Pwned? database. It’s a new, experimental feature, so it’s hidden for now, but it should be integrated into future versions of 1Password in a better way.
This feature also will be integrated into 1Password’s Watchtower feature in the future. The Watchtower feature warns you from within the 1Password application if any passwords you’ve saved are potentially vulnerable and need a password change.
The most important thing you can do is to not reuse passwords, at least for important websites. Your email, online banking, shopping, social media, business, and other critical accounts should all have their own unique passwords, so a leak by one website doesn’t put any other accounts at risk. Password managers help make strong unique passwords possible, ensuring you don’t have to remember a hundred different passwords.