Keeping track of passwords is hard enough (though a good password vault helps a lot). But now, it seems, we need to start keeping track of all the various and sundry breaches that have occurred, possibly without knowing whether we're directly impacted.
Services like Have I Been Pwned? are a great start, particularly with its Pwned Passwords service, which lets you know if your account, or a password you use, is discovered in a breach. You can get notifications when your email address is discovered in a breach, but when it comes to passwords, it's still a manual process.
That's where Password Checkup comes in.
Become a Patron of Ask Leo! and go ad-free!
- Breaches can cause your actual password to be exposed, even though they typically do not.
- Once a password has been compromised, that password should no longer be used anywhere.
- Password Checkup informs you if you use a password that's been found in a breech.
- Password Checkup is safe.
- Alternatives for non-Chrome browsers are few, but hopefully that will change.
Breaches and passwords
Not a day goes by, it seems, that we don't hear of some kind of database breach at an online service provider. In most cases, all the hacker gets is your email address, and perhaps some additional not-particularly-critical information.
Occasionally, however, hackers will get or be able to determine the actual password you've used with the breached service.
That spells trouble, and quite possibly not only for your account with that breached service.
Exposed once means risk everywhere
Since so many people re-use passwords across multiple sites, when such a password is exposed at any one service, it puts your account at all the other services at risk as well. Hackers do try databases of known passwords against databases of known login IDs (like email addresses) at a wide variety of services, hoping to get lucky and find a combination that works.
If a password you use has been exposed anywhere, you need to stop using it everywhere.
How do you find out if it's been exposed? That's where the Google Chrome browser extension Password Checkup comes in.
Pardon me, your password is showing
As you go about your day and log in to the various services you use, Password Checkup checks the password you've just used against a database of known exposed passwords. If it finds your password listed there, you'll get a warning.
As the message states, you should change the password for the site you're logging in to, as the password has been discovered in a breach database.1
It does not mean that the account you're logging in to has been hacked. It doesn't even mean that another account of yours using the same password has been hacked, though that's most common. It just means that someone somewhere used that password as the password to an account that was part of a data breach. Nine times out of ten, that "someone" is you, but it doesn't have to be.
It means your password is in a database known to hackers and you should stop using it. Period.
How is this safe?
The extension does not share your actual password with anyone. It doesn't transmit your password anywhere at all. Instead, the implication2 is that it uses cryptography to securely check something else: a hash of your password.
Hashes are complex mathematical calculations that take a string of characters, like your password, and convert it to a number. That number has two important properties:
- It's statistically unique. The chances of any two strings generating the exact same hash number is infinitesimal. A hash of a password is as unique as the password itself.
- It's one-way. You can create a hash from a password, but you cannot recover the password from the hash.
So, all the extension does is:
- Hash the password it sees you using.
- Compare that hash (not your password) against a (probably online) database of hashes of all known exposed passwords.
- If there's a match, your password is in that database, even though your password was never actually transmitted anywhere.
Once again, if there's a match, it means your password is in a database known to hackers and you should stop using it.
Non-Chrome alternatives
At this writing, I know of no equivalents for other browsers; currently this is a Chrome-only extension. I hope that changes and equivalent tools are made available for other browsers.
Some password vaults may offer a similar type of functionality, comparing all your passwords stored in your vault against the database of known passwords. (Again, using the same hash technique that doesn't require sending your actual password anywhere.)
Finally, you can do this manually using the Pwned Passwords service of Have I Been Pwned?
Changing your passwords
If you find that your password has been exposed, there are several things you need to do and opportunities you should take advantage of.
- For every site that uses the exposed password, change the password.
- Change the password to something long and strong.
- Use this as an opportunity to make sure none of your logins use the same password -- every site should be unique.
Using a password vault like LastPass will make keeping track of it all significantly easier.
Along with Password Checkup, I recommend it.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
i use incognito, extensions usually have an option to allow incognito.
password checkup does not. there`s no icon in the incognito mode.
is it working, or do i not need it when i`m incognito?
Oh, you want it to check your passwords incognito or not, but if the option’s not there then the option’s not there. Incognito has absolutely no impact on whether or not you’re using good or bad passwords.
OIC, so its working even though there is no icon in the top tool bar?
i see the icon in the non incognito page, but there is no icon incognito.
will i still get notified if i enter a bad password?
I certainly wouldn’t use this particular tool as: 1) browser extensions aren’t the most secure of thins and 2) Google ain’t got the best track record when it comes to respecting its users’ privacy or, for that matter, adhering to its own privacy policies.
To my mind, using it may well be riskier than not using it. This is especially true because, as you said, there are alternatives available. Similar functionality is provided by password managers including LastPass and 1Password. Additionally, many companies, including Facebook and Microsoft, make their own checks against databases of leaked credentials when folk use their services and Firefox users can, if they’re so inclined, use the Firefox Monitor Service.
I don’t recall you ever speaking about the Google password manager. Would you consider a password manager like LastPass to be safer than using the Google password manager in Chrome? And if so, why?
I tend to avoid browser-based password managers. At a practical level they’re not portable (they only work in those specific browsers, whereas LastPass and other vaults work almost everywhere). At a philosophical level, while I’m sure that Chrome’s is “good”, it’s just a feature in a larger product. Password vaults ARE the product, and designed from the start to be as secure as is possible. I have a little more faith in that focused design process. (There have been incidents — though not in Chrome that I recall — of browser-based managers having security holes.)
I try to install on my Chrome browser but say I am not compatible. Is is because I have chrome on Linus Mint?
Quite possibly.
Leo, I am running Mint 18.3. Installed in Chromium Version 73.0.3683.75 and it runs fine, for almost a month .
Thanks for the article Leo.
When I went to install “Password Checkup” from Chrome it stated that it can: “Read and change all your data on the websites you visit”.
This sounded a bit ominous and so I was reluctant to download it. What do you think?
Best regards,
Phillip.
You’ll find that many if not all the extensions you might have installed get that permission. Chrome has nothing more granular, and the extension needs to be able to see the data in order to test it. I trust the extension, so it doesn’t bother me. But if you don’t trust it, then don’t install it. (Actually, that last statement applies to any software. )
When I checked I got the message :-
Oh no — pwned!
Pwned on 1 breached site and found no pastes (subscribe to search sensitive breaches)
Further down the page I found :-
Breaches you were pwned in
A “breach” is an incident where data has been unintentionally exposed to the public. Using the 1Password password manager helps you ensure all your passwords are strong and unique such that a breach of one service doesn’t put your other services at risk.
Followed by :-
Onliner Spambot (spam list): In August 2017, a spambot by the name of Onliner Spambot was identified by security researcher Benkow moʞuƎq. etc etc
None of this information was of any help at all as I still can’t find out which of the numerous passwords I have has been compromised
Do I change every one I have, just in case
regards
Bernard
Where did you check? If this came from Password Checkup — the subject of this article — then the password you just used at the time the message should be changed for any and all accounts in which it is used. The article explains this.
If you got a message from the folks at “have I been pwned”, or manually checked there, they often don’t know which account was compromised, only that your email address was discovered. (If they know which account, they say so, but if they don’t say so, they don’t know.) This means you need to be careful with any accounts using that email address. I often change the email password as an extra layer of security.
You said “At this writing, I know of no equivalents for other browsers; currently this is a Chrome-only extension. I hope that changes and equivalent tools are made available for other browsers.”.
At the moment I’m already using Mozilla’s Firefox Monitor, and it has sent me three different warnings since I subscribed. LastPass also has a way of telling me which of my passwords have been compromised and should be changed.