How to tell if your password has been stolen

These password monitors can help you find out.

Coming up with a strong, unique password and storing it in a password manager or browser isn’t good enough. You need to know if and when your password was stolen in a password breach, so you can act quickly enough to change that password before your personal information is potentially compromised. Here’s how.

It’s been some time since the massive Collections breaches of 2019 leaked literally billions of email addresses and passwords to the web, putting the security of those accounts at risk. The problem users faced at the time was a limited number of ways to tell if they were actually at risk. Now, there are many password monitoring services that will reveal if your password has been stolen. Many are designed to let you quickly take action and change them.

More stories

The best password managers

Why your browser’s password manager isn’t good enough

5 alarming facts in honor of World Password Day

Basic services to reveal email breaches

Two reputable services to check this information existed at the time of the Collections breach, and still do: HaveIBeenPwned, and a service run by the Hass-Platner-Institut in Potsdam, Berlin. Both ask you to enter your email address (not your password!), and both will then match your email address against a database of known breaches. 

Both services have their appeal. HaveIBeenPwned’s reputation attracts those who wish to publicize their attacks, so the site’s breach reporting seems comprehensive. The site will list the breaches that an email address has been caught up in, along with any corollary information—such as your gender or what your phone number is, for example. The site organizes the breaches by the service attacked, not the date. Why is this important? Because if your email was exposed in a breach in 2016, for example, chances are that your password has been changed since then. But if your email and password were exposed last month, you’ll want to change them right away.

haveibeenpwned detail HaveIBeenPwned.com

HaveIBeenPwned supplies a large amount of information in regards to breaches, but it could be better organized.

HaveIBeenPwned also publishes the breach information for any email address, which is handy for checking up on friends and family, though it isn’t the most privacy-conscious.

HPI’s service takes a different approach. It lists the breaches by date, along with a matrix of what information was exposed. If you enter an email address on the site, it will send a security report to that specific email, along with a color-coded chart of what data is at risk, and from what breach.

hpi identity leak checker Hass-Platner-Institut Hass-Platner-Institut

HPI will send you a matrix of what information has been released in conjunction with your email, organized by most recent. 

Browsers are adding password monitoring for free

Both of the above services only reveal if a specific email address has been part of a breach, however—not if a non-email username—“billg,” say—has been exposed. Here, you’ll want a trusted service that knows you, as well as the passwords that you’ve chosen. Don’t go chasing random sites to “check” your passwords—you’ll want to stick with a few trusted names. (Also, note that password monitoring is a paid service for most password managers—but not for password managers within a web browser.)

Google Password Checkup

In 2019, Google added a free browser plugin for Chrome that warned you, once you’d logged into a compromised site, if your email or password had been compromised. In October of 2019 Google began automatically checking passwords against breaches, and as of Chrome 79 began monitoring your online use to avoid getting “phished,” or lured into divulging your password under false pretenses.

google password checkup inline Mark Hachman / IDG

Google’s Password Checker has a handy dashboard to display if your password has been compromised.

Now, if you go to passwords.google.com and authenticate yourself, Google’s online Password Checkup will give you a quick dashboard of which passwords have been exposed in security breaches, which have been duplicated across various sites, and which could be improved with more complex passwords to avoid being easily cracked if a breach were to occur. There are also links to change the passwords on the sites themselves. However, this works only if you’ve stored passwords using Google itself.

Firefox Lockwise

Firefox Lockwise, part of the free Mozilla Firefox browser, works in a slightly different manner. It doesn’t offer the recommendations that Google does about redundant and weak passwords, but its password monitoring feature otherwise works similarly. It also seems to work regardless of whether you’ve stored a password within Firefox, or simply imported passwords from another browser. Like Google, though, it needs to “know” your password, which requires you to store it in the browser.

The easiest way to get to Lockwise is by typing about:logins into the Firefox URL bar.

firefox lockwise password protection edited Mark Hachman / IDG

Firefox Lockwise builds in password monitoring inside the Firefox browser.

If a password has been exposed, you’ll see a bright-red banner, the account and password in question, and a link to jump to the account in question. (It may also flag accounts that you may have already disabled, as it did with a LinkedIn breach it showed for me, which had been tied to a previous work account.)

Microsoft Edge Password Monitor

Last year Microsoft promised an upcoming Password Monitor within Microsoft Edge, and it will soon roll out as part of Microsoft Edge 88. Like the other similar services offered by other browser makers, it will be free.

Microsoft edge password generator Microsoft

Edge is rolling out a complex password generator, and soon a password monitor as well.

Paid password monitoring: Password managers

We already review password managers, which are hands-down the most convenient way to manage passwords. Below is a summary of which password managers do what in terms of monitoring. 

LastPass

While LastPass offers a robust, free version of the password storage services that the browsers offer, password monitoring is a service that LogMeIn’s LastPass service charges for. LastPass will keep an eye on the “dark web” in case a password leaks out—but it will also send you a notification when it does so, something that the browser makers don’t do yet. Is that heads-up worth the $3 LastPass charges per month for the service? If you value locking down your personal data immediately, it might be.

lastpass password dashboard LastPass

LastPass monitors the dark web for breached passwords, for a small monthly fee.

Dashlane

Dashlane, too, regards “dark web” monitoring as a paid service, and charges $6.49 per month for it.

1Password

1Password doesn’t offer a free tier, but its $2.49/month basic service includes what the company calls “Watchtower,” which alerts you to compromised passwords, as well as those that should be updated because they’re weak. 1Password actually works with the HaveIBeenPwned service to check your passwords (not your email) against its database of breached passwords. But as an added security measure, 1Password send only part of your password (or, specifically, part of the password hash), collects all of the potential matches, then checks them privately on your machine. 

1password watchtower 1Password

1Password’s Watchtower password monitoring service.

Other password managers tend to charge small fees for password monitoring, but who knows? It’s possible that the competitive influence of Microsoft and Google, plus Mozilla, may tug password monitoring back into a free service for years to come. 

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Mark Hachman

Mark Hachman

PC World (US online)
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Cate Bacon

Aruba Instant On AP11D

The strength of the Aruba Instant On AP11D is that the design and feature set support the modern, flexible, and mobile way of working.

Dr Prabigya Shiwakoti

Aruba Instant On AP11D

Aruba backs the AP11D up with a two-year warranty and 24/7 phone support.

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?