Keeping track of passwords is hard enough (though a good password vault helps a lot). But now, it seems, we need to start keeping track of all the various and sundry breaches that have occurred, possibly without knowing whether we’re directly impacted.
Services like Have I Been Pwned? are a great start, particularly with its Pwned Passwords service, which lets you know if your account, or a password you use, is discovered in a breach. You can get notifications when your email address is discovered in a breach, but when it comes to passwords, it’s still a manual process.
That’s where Password Checkup comes in.
Become a Patron of Ask Leo! and go ad-free!
- Breaches can cause your actual password to be exposed, even though they typically do not.
- Once a password has been compromised, that password should no longer be used anywhere.
- Password Checkup informs you if you use a password that’s been found in a breech.
- Password Checkup is safe.
- Alternatives for non-Chrome browsers are few, but hopefully that will change.
Breaches and passwords
Not a day goes by, it seems, that we don’t hear of some kind of database breach at an online service provider. In most cases, all the hacker gets is your email address, and perhaps some additional not-particularly-critical information.
Occasionally, however, hackers will get or be able to determine the actual password you’ve used with the breached service.
That spells trouble, and quite possibly not only for your account with that breached service.
Exposed once means risk everywhere
Since so many people re-use passwords across multiple sites, when such a password is exposed at any one service, it puts your account at all the other services at risk as well. Hackers do try databases of known passwords against databases of known login IDs (like email addresses) at a wide variety of services, hoping to get lucky and find a combination that works.
If a password you use has been exposed anywhere, you need to stop using it everywhere.
How do you find out if it’s been exposed? That’s where the Google Chrome browser extension Password Checkup comes in.
Pardon me, your password is showing
As you go about your day and log in to the various services you use, Password Checkup checks the password you’ve just used against a database of known exposed passwords. If it finds your password listed there, you’ll get a warning.
As the message states, you should change the password for the site you’re logging in to, as the password has been discovered in a breach database.1
It does not mean that the account you’re logging in to has been hacked. It doesn’t even mean that another account of yours using the same password has been hacked, though that’s most common. It just means that someone somewhere used that password as the password to an account that was part of a data breach. Nine times out of ten, that “someone” is you, but it doesn’t have to be.
It means your password is in a database known to hackers and you should stop using it. Period.
How is this safe?
The extension does not share your actual password with anyone. It doesn’t transmit your password anywhere at all. Instead, the implication2 is that it uses cryptography to securely check something else: a hash of your password.
Hashes are complex mathematical calculations that take a string of characters, like your password, and convert it to a number. That number has two important properties:
- It’s statistically unique. The chances of any two strings generating the exact same hash number is infinitesimal. A hash of a password is as unique as the password itself.
- It’s one-way. You can create a hash from a password, but you cannot recover the password from the hash.
So, all the extension does is:
- Hash the password it sees you using.
- Compare that hash (not your password) against a (probably online) database of hashes of all known exposed passwords.
- If there’s a match, your password is in that database, even though your password was never actually transmitted anywhere.
Once again, if there’s a match, it means your password is in a database known to hackers and you should stop using it.
At this writing, I know of no equivalents for other browsers; currently this is a Chrome-only extension. I hope that changes and equivalent tools are made available for other browsers.
Some password vaults may offer a similar type of functionality, comparing all your passwords stored in your vault against the database of known passwords. (Again, using the same hash technique that doesn’t require sending your actual password anywhere.)
Changing your passwords
If you find that your password has been exposed, there are several things you need to do and opportunities you should take advantage of.
- For every site that uses the exposed password, change the password.
- Change the password to something long and strong.
- Use this as an opportunity to make sure none of your logins use the same password — every site should be unique.
Using a password vault like LastPass will make keeping track of it all significantly easier.
Along with Password Checkup, I recommend it.