One of the best things about having a solid password is that you don’t have to change it. If it’s strong, unique and hasn’t been compromised by an attacker, you gain no security benefits by modifying it according to some arbitrary timetable. Just let it be.
What you should be tracking is whether any of your passwords have been compromised during one of the many data breaches that have been making headlines recently — or before that.
Obviously, after a widespread data breach, changing your affected password should be a top priority. But a lot of people don’t do this. According to the latest research from Google:
“...we implement a cloud service that mediates access to over 4 billion credentials found in breaches and a Chrome extension serving as an initial client. Based on anonymous telemetry from nearly 670,000 users and 21 million logins, we find that 1.5%% of logins on the web involve breached credentials. By alerting users to this breach status, 26%% of our warnings result in users migrating to a new password, at least as strong as the original.”
I’m not sure why a person wouldn’t change their password when they find out it was compromised, but maybe the message isn’t clear enough. Worse, imagine all the compromised passwords people aren’t checking — you aren’t going to change that which you don’t perceive to be broken, after all.
While the first part of that paragraph is completely on you, we can help out with the second half. There are plenty of tools you can use (free or paid) to alert you that it might be time to change your password. Here are a few of our favourites—please pick one, or many, to use right now.
If you’re a Chrome fan—most people are—consider installing Google’s Password Checkup extension. It’ll sit in the background of your browser and do nothing of importance until you go to log into a website. When you do, it’ll check to see if your account credentials have been previously leaked in a data breach. If so, it’ll let you know that it’s time to change your password, and you should definitely take it up on its advice.
And, no, this extension isn’t going to reveal your passwords by checking them. As Google writes:
“We designed Password Checkup with privacy-preserving technologies to never reveal this personal information to Google. We also designed Password Checkup to prevent an attacker from abusing Password Checkup to reveal unsafe usernames and passwords. Finally, all statistics reported by the extension are anonymous. These metrics include the number of lookups that surface an unsafe credential, whether an alert leads to a password change, and the web domain involved for improving site compatibility.”
This one’s even easier. Send your email address over to Have I Been Pwned via the site’s “notify me” feature, and you’ll get a warning whenever your email address (and anything associated with it) appears in a breach. There’s no reason to not use this free service, unless you’re mysterious and use a different email address for multiple services. If so, consider using a third-party service like Badrap to check multiple accounts against Have I Been Pwned’s database.
And we almost don’t need to say it, but we’re going to say it: When you get an email that your account was involved in a breach, please go change your password for that service. Make it a unique password; make it a strong password. And change that password on other services if you’ve been lazy and used the same password for everything.
Here’s a not-so-big secret: Firefox Monitor offers the same kind of “notify me if my email is involved in a data breach” service as Have I Been Pwned. In fact, it uses Have I Been Pwned’s database, too.
Even though Firefox Monitor is basically a reskinned version of Have I Been Pwned, it’s still worth knowing about. If you’re a huge Firefox fan and that is the single reason that convinces you to sign up for this useful service, all the better.
If you pay for 1Password — and you should, since it’s a great password manager — you get access to its Watchtower feature. There’s no reason not to pay attention to this critical service, as it will alert you whenever passwords you’ve used are present in, you guessed it, Have I Been Pwned’s database of breaches. That’s a little different (and more useful) than just looking up whether your email address was involved in a breach.
You can also quickly see if any services you use were themselves involved in a data breach, a good encouragement to change your password even if you weren’t directly affected by an attack.
Like similar tools, this one from Germany’s Hasso Plattner Institute only requires you to enter your email address. If that email is associated with any kind of data breach, you’ll receive an emailed report to let you know.
This tool isn’t an active monitoring solution, but it’s useful to see where your account details have been previously compromised. Since it takes all of a second to run, it shouldn’t be a big burden when you’re trying to get a comprehensive picture of account passwords you might need to change.