How to tell if any of your website passwords may have been hacked

If you're worried a password you use to log in to a site was leaked during a data breach, read about two websites and a Chrome extension that can alert you if this happens.

Press enter button on the computer. Key lock security system abstract technology world digital link cyber security on hi tech Dark blue background, Enter password to log in. lock finger Keyboard

Image: Sarayut Tanerus, Getty Images/iStockphoto

Learning a website you use has been breached or hacked is alarming--you wonder if your personal data is at risk. But you also fear that your password may have been compromised, especially if the password you use for that site was a simple one that was easily hackable. Instead of wondering and worrying, you can check out a couple of websites and one Chrome extension that can tell you if a breach occurred at a site that you use or have used in the past.

The website known as Have I been pwned? looks for hacked websites at which you have an account based on your email address. Firefox Monitor is another website that provides a similar service, though it relies on the data from Have I been pwned?. Chrome users can install an extension called Password Checkup, which tells you on the fly if the password for your current site was detected in a data breach. Several of the major password managers also offer their own tools to determine if your password may have been caught in a breach. But Have I been pwned?, Firefox Monitor, and Chrome's Password Checkup work independently of any specific password managers.

SEE: How to reduce user account lockouts and password resets (free PDF) (TechRepublic)

Have I been pwned?

Fire up your browser and surf to the website for Have I been pwned?.The site works by scanning your email address to see if it was used at any sites involved in a data breach. Enter your email address and click the pwned button (Figure A).

Figure A


Scroll down, and the page lists any breaches at sites for which your email address was on file. This by itself does not mean that your password was necessarily leaked or hacked, merely that your email address was discovered at a site that was breached. Some of the reported breaches may be old, and some will be more recent. Read the description of each breach. In some cases, the site may have already forced users to reset their passwords. If you're unsure whether you already changed your password in response to the breach at a given site, then you should sign into that site and reset your password (Figure B).

Figure B


Beyond helping you find breaches in which your email address surfaced, Have I been pwned? offers information about breaches in general. The site lists the largest breaches as well as recent breaches. You can search by domain to look for breaches that may have hit an entire organization. You can search for pwned passwords; however, you should avoid entering one of your own passwords--instead, you can download a list of hacked passwords and see if one of yours is on the list. You can subscribe to a notification service to be alerted if your email address is ever caught in a new breach (Figure C).

Figure C


Firefox Monitor

Firefox Monitor is another site that displays breaches in which your email address appeared. You don't need Firefox to use the site--you can access the service from any browser, such as Chrome or Microsoft Edge. Firefox Monitor gets its breach data directly from Have I been pwned?, so there's no true advantage to using this site over Have I been pwned?, though Firefox Monitor does offer security tips and other helpful information. Type your email address in the appropriate field and click on the button to Check For Breaches (Figure D).

Figure D


In response, the page displays any breaches in which your email address appeared. Click the link for More About This Breach to get more details on a specific breach (Figure E).

Figure E


At Firefox Monitor, you can sign up for breach monitoring alerts, though that requires a Firefox account. To set this up, click the button to Sign Up For Alerts at the bottom of the Firefox Monitor page. Create or sign in to your Firefox account. Click the button to Manage Email Addresses. Make sure the box to Send Breach Alerts To The Affected Email Address is checked (Figure F).

Figure F 


Password Checkup Chrome extension

If you use Chrome, you may want to try out an extension called Password Checkup. Available at the Chrome Web Store, Password Checkup alerts you if you sign in to a website with a password that Google detects as having been exposed in a data breach.

The extension's toolbar icon turns red and flashes a message indicating that a certain password may no longer be safe due to a breach. The message points you to the site or sites in question where you can go to change your password. The downside with Password Checkup is that it only checks for potentially leaked passwords when you actually try to sign in to a specific site, so you won't know if your password may have been compromised unless you sign in to a hacked site. Still, the tool can serve as one more weapon in your arsenal against leaked passwords (Figure G).

Figure G


Also see