Tech Made Simple

Hot Topics: How to Fix Bluetooth Pairing Problems | Complete Guide to Facebook Privacy | How to Block Spam Calls | Snapchat Symbol Meaning

We may earn commissions when you buy from links on our site. Why you can trust us.

author photo

Find Out if Any of Your Passwords Have Been Compromised

by Elizabeth Harper on March 02, 2018

There's a good chance that hackers know at least one of your passwords. Last year, Yahoo announced that hackers managed to steal three billion — yes, billion — email addresses and passwords that belonged to users on Yahoo, Tumblr, Flickr and more. And Yahoo is hardly the only big business that's fallen victim to hackers. Last year alone there were more than 1,300 data breaches, any of which could have put your personal information in the hands of hackers.

And while you may not care that your unused Yahoo account was hacked, having your password stolen can be a real problem. Why? Because despite security experts warning us not to, many of us use the same login and password for many different accounts — and when a hacker gets one of them, it's often easy to find others.

If you're trying to figure out whether or not you should be worried about your accounts being compromised, a site called haveibeenpwned.com can help. Despite the silly name, the site is completely legitimate, letting you quickly search to see if your email address or account names have shown up in these data breaches. If you haven't used it before, it's worth checking out and setting up notifications so you'll get an email if your accounts show up in a future data breach (just click "notify me" at the top of the page to sign up).

haveibeenpwned.com/

What's new is a tool that will tell you if your password — not just your account name — has been compromised. To find out if yours is on the list, just go to the site's password page and look yours up. And, yes, it's safe to do so on this site, which takes serious measures to protect your security. Just remember you should be extremely wary of unknown sites that ask for your password — a less trustworthy site could easily use this to steal your account information.

[Editor's note 3/8/18: Some people are questioning whether entering a password into this site creates its own security risks. The creator of the site, Troy Hunt, is a well-known and highly-regarded security expert; you are not entering any other information that could be used/associated with the password (e.g., user name, email, specific site name); and the site isn't storing your password. However, it is theoretically possible that if you sign up to be notified when a password is breached, the stored hash could somehow be decrypted, and if there is an IP address stored alongside it that decrypted password could then be connected back to you and your logins via other third-party hacks. We would say the likelihood of this is extremely thin, and the benefit of the site outweighs this risk, but it is possible. So if you want to be absolutely safe, only enter passwords that you are no longer using, or change any active passwords you do enter immediately before or after. There is still value to the process with inactive passwords because if one of those hacked passwords is the one you're using for your bank, email or other critical use, you know there's a possibility that either their data was hacked, you're reusing passwords and risking your critical site login or the passwords you're using are too common and you need to develop more secure password habits.]

After you type in your password and hit enter, the site will tell you whether the password has shown up in any data breaches, and how many times. For example, the all too common "password" has shown up 3,303,003 in data breaches. Even if your usual password hasn't been leaked three million times, you should change it if it's been leaked at all — because once it's out there, it makes it easier for hackers to get into any accounts that use that password.

If you find out your passwords have been compromised, you should change them immediately. Be sure to make a different password for every site and use a password manager to keep track of them all. Our current favorite is Dashlane, which you can download for free.

Once you've changed any hacked passwords, it's time to turn on two-factor authentication for any accounts that offer it. This security feature means that in addition to your username and password, you'll need a code — often texted to your phone or sent to or sent to an app like Google Authenticator — to get into your account. This can stop hackers in their tracks even if they do have your username and password, but don't use it as an excuse not to change any compromised passwords. While the instructions for setting up two-factor authentication will be different for each site, you can check Two Factor Auth to find sites that support this security feature and how to enable it on each.

Now you can be sure your accounts are safe and stay safe in the future.

[Image credit: weak password via BigStockPhoto, haveibeenpwned.com]


Topics

Computer Safety & Support, News, Computers and Software, Blog, Privacy


Discussion loading

gravatar

From Khürt Williams on March 02, 2018 :: 8:23 am


> After you type in your password and hit enter, the site will tell you whether the password has shown up in any data breaches, and how many times.

+1 more time since you have just confirmed it with that site.

Reply

gravatar

From Jon on March 02, 2018 :: 11:52 am


@Khürt Williams, you obviously don’t know anything about the haveibeenpwned site or its owner, Troy Hunt, a security researcher for Microsoft. Mr. Hunt has no interest in stealing your passwords. You can read more about him and his pawned passwords database here: https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/

Reply

gravatar

From Khürt Williams on March 05, 2018 :: 8:22 am


Let’s be clear. The owner is pwned is known. TO YOU! Let’s also be clear, suggesting that the public put their passwords AND email address into a website that will check if it’s been compromised is NOT a good thing to teach the general public.

Tony himself from the same link you provided.

>As much as I don’t want to encourage people to plug their real password(s) into random third-party sites, I can guarantee that a sizable number of people got a positive hit and then changed their security hygiene as a result.

Reply

gravatar

From Josh Kirschner on March 02, 2018 :: 4:35 pm


Troy Hunt is a very well-known and highly respected security researcher. We fully trust his site or we wouldn’t recommend it. I feel more comfortable entering my passwords on haveibeenpwned.com than I do entering them into many of the actual sites I log into on a daily basis. Haveibeenpwned does not store the password you enter (it just crosschecks it against a known list of hacked passwords), nor is the password you’re checking associated with any other identifiable information, such as an email address or username.

Beyond that, there is great benefit to knowing whether the password(s) you’re currently using has already been hacked through a prior breach, and Haveibeenpwned offers a safe and easy way to do that - ignorance is not bliss when it comes to compromised credentials.

Reply

gravatar

From Khürt Williams on March 05, 2018 :: 8:16 am


Let’s be clear. The owner is pwned is known. TO YOU! Let’s also be clear, suggesting that the public put their passwords into a website that will check if it’s been compromised is NOT a good thing to teach the general public.

Reply

gravatar

From Khürt Williams on March 05, 2018 :: 8:25 am


Most companies have a policy requiring that employees change their password every 90 days. Instead of checking an online database, just change your personal passwords on a similar schedule and use a tool like 1Password.

Reply

gravatar

From Josh Kirschner on March 05, 2018 :: 3:56 pm


It has become widely accepted in the security community, based on a number of academic research studies, that requiring regular/frequent password changes is counterproductive because it encourages users to choose easy-to-remember passwords and reuse those passwords across sites. The NIST recently recommended dropping password expiration in their latest security recommendations (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf), as does Bruce Schneier (https://www.schneier.com/blog/archives/2017/10/changes_in_pass.html), the FTC (https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes) and others (https://www.sans.org/security-awareness-training/blog/time-password-expiration-die). Users would be far better off creating a sufficiently complex passphrase that can be easily remember for each site and then just leaving it alone.

gravatar

From Robb on March 02, 2018 :: 10:55 pm


All of the reported data breaches have been reported independently. Many of them are a decade ago—the 2008 MySpace breach, really?

Let’s appreciate ...pwned.com for notifying the clueless, but if it takes this to get you to change your passwords, you’re late to the game.

Reply

gravatar

From Josh Kirschner on March 05, 2018 :: 4:26 pm


Some of the breaches are old, some are very recent (or at least recently discovered). But it’s not fair to assume the general public should be on top of all these breaches and whether their particular data may have been compromised in any one of them. You can also use Haveibeenpwned to notify you if your password turns up in future breaches, which makes it even more useful.

Nor is it fair to say that only the clueless will benefit from Haveibeenpwned. One of the simpler passwords I use for less important sites was on the list; most likely not because my credentials had been part of a breach (the sites I used it on weren’t part of the breach list), but because it was a password that someone else had used that was breached. It was a quick reminder that was an unsafe password to sue anywhere going forward. With more than half a billion passwords in the list and growing, that will be an increasingly common scenario.

Reply

gravatar

From Thundarr the Barbarian on March 11, 2018 :: 7:29 am


C’mon folks.  Microsoft knows what version of windows is running on you computer and can upgrade it at will.  Do you honestly BELIEVE they don’t have access to EVERYTHING you do on your computer?  IP Addresses track EVERYTHING and EVERY DEVICE!  STOP falling for the FEAR induced PARANOIA.  You have nothing VALUABLE in an IDENTITY - either “online” or “offline” - WAKE UP!

Reply

gravatar

From gorn on August 07, 2019 :: 5:58 pm


When I do not use Microsoft Windows software? Last one I used was Windows 3.1 smile

Reply

gravatar

From Michael Kelly on March 11, 2018 :: 6:21 pm


Nothing to say right now…

Reply

gravatar

From Doug on March 14, 2018 :: 11:53 am


I don’t care who this guy was, is or wants to be.  If I do not know him personally, forget it. 
This is an opportunity for a collection of passwords, [to nothing specific] but still a collection that then can be sold and used to hack. 
I say ... no way Jose.

Reply

gravatar

From Ben Carr on September 29, 2018 :: 5:38 am


If you want to find out if you’ve been compromised you could always use http://leakprobe.net also they show you plain-text information that is in the data breaches. It’s way more comprehensive than Haveibeenpwned so you can use it if you forgot your password for old accounts or places you’ve signed up years ago as well.

Reply

gravatar

From Carl Davis on November 15, 2018 :: 4:54 am


There are so many sites now offering leaked password database searches. Leakedsource.ru https://leakprobe.net haveibeenpwnd etc etc..

the take away from this is make sure that your password is long and multi-case + symbols. Dont make the cracking easy by choosing a weak password.

Reply

gravatar

From Ann on April 03, 2019 :: 1:08 pm


Hi, 

About a week ago, I had a notice that one of my emails had been compromised. When I checked Have I been Pwned, it confirmed that it had been.  I changed my long password immediately and next day when I checked it, it came up clean.

Just this morning (when I’m busy with so many other things) it’s telling me Pwned again.  I changed the password again and it’s still coming up that I have been pwned. Now, I’m really concerned, as I don’t know what to do.  I have different passwords for everything and they are long. Is someone stealing the password as soon as I change it?

I would appreciate any help as I cannot afford a computer guy to come help me. Thank you so much.

Reply

gravatar

From Josh Kirschner on April 03, 2019 :: 2:18 pm


There are two sections of haveibeenpwned.com - one checks if your email address has been exposed in a data leak, the other checks to see if the password you’re using has been exposed in a data leak (doesn’t necessarily have to have been leaked from your account, could be someone else randomly using the same password).

So, if you’re using the email section, it will keep coming up as pwned even if you change your password because, obviously, the email address itself is still the same. However, if you are using the password section, and it shows your current password as pwned, then the passwords you’re using aren’t complex enough.

Note that haveibeenpwned is only updated when Troy Hunt finds a big data leak; it doesn’t change on a day-to-day basis and most of the password data is old by the time it gets added to the database. So there wouldn’t be a situation where haveibeenpwned would be picking up someone stealing your password as soon as you change it.

To help you manage all this, I strongly recommend a password manager. Our pick for the best password manager, Dashlane, as well as others like 1Password, will help you create and manage complex passwords and, more importantly, warn you when a password you are using has been compromised in a data breach.

Reply

gravatar

From Ann on April 03, 2019 :: 11:26 pm


Hi Josh,

Thank you so much for taking time to explain this. I hate to be paranoid, but, these days with so many scams and virus attacks, it is a bit scary and not being to computer savvy makes it worse.

I’m going to copy your reply in my notepad so I will have it, as my little brain is so cluttered with so much information. grin

Again, I appreciate your kindness. I noticed the last post was in 2018 so wasn’t certain someone would see my question.

Ann

Reply

gravatar

From Ken Johnson on July 15, 2019 :: 4:50 pm


I got reasonable results from the email page, however on the password page, when I entered 20 or more random characters and letters and symbols, every time it responded as pwned. Some of the half dozen or so entries I made at the end were long and varied enough that it seems pretty impossible to me that the password could possibly have been used.

Reply

gravatar

From Josh Kirschner on July 16, 2019 :: 10:24 am


When I try entering in random long passwords (10 or more characters) I don’t get any hits. I do get hits for random shorter passwords. So it sounds like either some was quirky with the site when you tried it or somehow your browser is caching previous results (which shouldn’t be happening).

Either way, the number of hits I got for random short passwords (8 or fewer characters) demonstrates how important password length is for security.

Reply

Home | About | Meet the Team | Contact Us
Media Kit | Newsletter Sponsorships | Licensing & Permissions
Accessibility Statement
Terms of Use | Privacy & Cookie Policy

Techlicious participates in affiliate programs, including the Amazon Services LLC Associates Program, which provide a small commission from some, but not all, of the "click-thru to buy" links contained in our articles. These click-thru links are determined after the article has been written, based on price and product availability — the commissions do not impact our choice of recommended product, nor the price you pay. When you use these links, you help support our ongoing editorial mission to provide you with the best product recommendations.

© Techlicious LLC.