How to find out if your password has been stolen

Please enter your password… Let’s think about how many times a day we are faced with this request and we can all agree that memorizing passwords is a hassle. They’re hard to remember and we all have at least a dozen passwords in order to improve the security of our accounts. We already know that having a single password for everything is not a good idea.


But what happens where this a massive data breach in the big companies we trust with our credentials on the net? When faced with intensive collective hacking, our usernames and passwords can be completely exposed but fortunately there is a simple way to find out if our credentials have been compromised.


The website ‘Have I Been Pwned’ (HIBP), developed by Troy Hunt, an Australian security researcher, allows us to check whether our email addresses and usernames have been involved in any of the many data breaches we have experienced lately (Adobe, Dropbox...).


In the same way, Hunt created another tool to approach this problem from the opposite perspective: that of passwords. The new tool, called Pwned Passwords, does the same thing but with the difference that by entering our passwords, it exposes us if they are secure or have been exposed in some kind of hacking action.

There are more than 320 million passwords stored in this database (previously filtered or victims of a massive hack). But is it safe to agglomerate all the passwords in a web like this one?

None of the passwords are stored with their respective email or username, only vulnerable passwords are exposed, so there is no danger that this site will make the job easier for hackers. In addition, Pwned Passwords is right to draw attention to the problem of how many of our passwords have been identified so far.

So, when you check your password with the application, you see that everything turns red, take advantage and renew your range of passwords. You won't regret it. However, Hunt explains that the safest way to check the reliability of a password is to download the entire list of filtered passwords, stored in three separate text files (more than 5 GB in total) and review it. It's annoying, but it's worth it.

For added security and to protect everyone who still uses these filtered passwords, the passwords for the files in the list have been encrypted with SHA-1 hash, you'll need to generate the hash for your password before searching the list for it.

If any of your passwords have been compromised, you may also want to consider using a password manager to store and generate your passwords.

"A quick warning about the search feature: the absence of evidence is not evidence of absence; or in other words, just because a password doesn't return a hit doesn't mean it hasn't been previously exposed," says Hunt. This means that if we find out when searching for our password that it hasn't been violated, it doesn't necessarily mean that this password hasn't been leaked at some point, only that it isn't included as part of this database developed by Hunt.


Continue reading