How to check if your passwords have been stolen

Will Stapley

25 Oct, 2018

British Airways (380,000 leaked user accounts), MyHeritage (92 million), Equifax (143 million). Just three examples of recent – and massive – data breaches. Even combined, they represent a small proportion of the billions of accounts hacked over the past few years. A timely reminder that, no matter how careful you are with your passwords, you can’t always rely on companies being as diligent.

What you can do, however, is make your password as difficult to crack as possible, so if you are the victim of a careless company your password won’t instantly give itself up.

Despite the advent of new biometric techniques (such as fingerprint, iris and face recognition), the majority of us still tend to use passwords to verify our identity online. And if you create your own passwords using similar terms (maiden names, pets, football teams, etc) rather than randomly generate them, as soon as one password has been stolen the rest become much easier to crack.

In this feature, we look at the methods hackers use to pilfer your passwords and how you can protect yourself against them. We’ll also explain how you can find out whether any of your passwords or other personal information has been leaked in a major data breach. Sad to say, but the chances are surprisingly high.

How are passwords stolen?

Most of us have been there. Struggling to remember one of our passwords, but bashing in those we use most in the hope of striking lucky. Then we see the dreaded message ‘Too many incorrect logins – account locked’. The silver lining, you might think, to this frustrating cloud is that someone trying to hack your password would suffer a similar fate.

A locked-out message might be infuriating for you, but it’s no problem for hackers

Sadly, this isn’t how the world works. Most passwords are cracked by hackers working offline, having already ‘acquired’ a database of user accounts. They will then use various methods to crack the accounts’ passwords. The only time they’ll ever try to log into your account is when they’ve already got your password. So while a limit on login attempts helps prevent people casually trying to access your accounts, it’s useless if your account details have been leaked.

How passwords are ‘hashed’

The good news is that even hackers who have access to a database of account details can’t see the actual passwords as plain text. Any reputable website won’t ever store your password. Instead, they use an algorithm to convert it into a unique, fixed-length block of data, known as a hash.

For example, using one very popular cryptographic algorithm – SHA256, which was developed by the US National Security Agency – the much-used password ‘P@SSWOrd‘ generates a 64-character hash starting ‘BO3DDF3C…’.

This particular password will always create this unique hash, meaning a website can compare it to the hash of the password you enter when you log in – if the two match, you’re allowed in. You can see how it works by generating SHA256 hashes on the Password Generator website. Notice that when you alter a single character, the hash changes completely.

Securing passwords with a pinch of salt

Hashing lets websites store your passwords securely because it’s impossible to reverse-engineer them, but hackers can still use any number of techniques to work out your password. How easy this is depends on how complex your password is and the methods used by the website to generate its hash.

Password Generator uses the SHA256 algorithm to make unique 64-character hashes

To make it harder for hackers to use rainbow tables (databases of leaked passwords) to work out a password from its hash, most websites generate a series of random characters and add them to your password before creating the hash – a process known as ‘salting’.

Using a salt of aE92@3′ (most are far more complex than this), our earlier password of P@ssword‘ becomes ‘aE92@3P@assword‘. Because this generates a completely different hash, it’s highly unlikely it will exist in a rainbow table and will, therefore, be much harder to crack. To increase security, the website will use a different salt for each user.

How to check if your passwords have been stolen

When your passwords (or any other personal information) have been leaked, they normally end up being added to huge databases on the dark web. Trying to locate these to find out whether you’ve been a victim not only takes ages, but is also risky because they’re typically listed on criminal websites. Thankfully, there are safe websites you can use instead.

Have I Been Pwned? (HIBP) was created in 2013 by Australian security expert Troy Hunt. It’s home to a database of over five billion hacked (or ‘pwned’) email accounts from the many leaks that have occurred over the years. You can also search its database using Mozilla’s Firefox Monitor tool, launched last month.

Hacked Emails (run by US-Spanish security firm 4IQ) and BreachAlarm (run by Australian firm Avalanche), are two popular alternatives. All three sites scan for new data leaks by monitoring sites on the dark web and websites such as Pastebin, where hackers post leaked account details. This data is then combined into a single, searchable database.

The sites use similar methods to check whether an email address was part of a data breach – simply type it into the box on the home page then press Enter. While HIBP and BreachAlarm show instant results, Hacked Emails sends a link to the email address you entered, restricting you to running password scans only on addresses you can access.

According to HIBP, our email is linked with two breaches that leaked our password and more

We tested the sites using the same email address – an old Gmail account we no longer use. Both HIBP and Hacked Emails reported that it was part of the Adobe (2013) and Dropbox (2012) breaches – though the former went further by specifying the type of information that was leaked. HIBP also said the address was made available through the Onliner spambot in 2017. Both also listed several ‘unverified’ leaks from unknown sources.

In contrast, BreachAlarm simply said our email address has been leaked “at least 2 times”, with the latest being August 2016. This was disappointingly vague, but it’s still worth trying BreachAlarm because it uses different databases of leaked emails. Between all three sites, you’ll probably find out whether your email account has been hacked.

Run searches for your password

As well as email addresses, HIBP lets you check whether your password has been leaked. Head here or click the Passwords menu from the main HIBP site, then type your password.

We’ve no doubt that HIBP can be trusted, but searching your current password isn’t without risk. Although unlikely, hackers might be able to steal it if they attack HIBP and install keylogger malware.

We, therefore, recommend against using a current password. Instead, try running searches for your old passwords, or simply use it to find out how common certain passwords are. For instance, ‘654321’ has been leaked nearly one million times, while ‘P@ssw0rd’ nearly 50,000 times.

If you do check a current password and find it’s been leaked, there’s no way of telling whether it belonged to you or someone else (the simpler the password, the more it would have been used by other people). Regardless, you should still change it immediately. If the password has been seen online even just once, it will be included in rainbow tables, making it easier to crack.

What to do if your data has been leaked

If your details have been leaked, check the date of the latest breach. If you’ve yet to change your password on the attacked site, do so immediately. Hackers are aware people often just add an extra character when changing their password, so make sure it’s completely different (don’t change ‘Ilovepasta’ to ‘Ilovepasta1’). And if you’ve reused the stolen password on other sites, change them there as well.

If you get the all-clear from these sites, it doesn’t mean your personal details have never been leaked. Lots of smaller data breaches go unreported, while some companies simply aren’t aware they’ve been attacked.

The best way to protect yourself is to use strong passwords and, ideally, a password manager. Also consider signing up to HIBP’s monitoring service, which will email you if your details appear in a new leak. Click ‘Notify me’ at the top of the website, then enter the email address you want to monitor.