How we protect ourselves online keeps evolving, as do the threats to our online safety. Passkeys, 2FA, authenticator apps, and other digital security tools are great for securing our accounts, but passwords remain the number one fan favorite. Even the best and most sophisticated Android phones fall back on simple passwords when biometrics fail. But what happens when those passwords get hacked? Here's how to find out if your password has been leaked online.

Head over to Have I Been Pwned

Head over to Have I Been Pwned

Have I Been Pwned is a trustworthy site created in 2013 by Troy Hunt, a Microsoft regional director and MVP. He is popular in cybersecurity for uncovering data breaches and educating technology professionals. And with details of almost 11 billion compromised accounts, his tool is the most popular way to determine if your password is safe.

Using the service is easy. Visit the Have I Been Pwned website on your favorite PC or smartphone browser and enter your email address or phone number (with the country code). Within seconds, it returns the details of data breaches where your credentials were compromised.

Have I Been Pwned has a few other nifty tools that ensure your credentials are secure. For example, the password checker allows you to reverse engineer the process and enter your passwords to check if they've been compromised. Domain owners can check the safety of all emails associated with their domain name with a single click using the Domain search service.

Overall, the tool is safe to use. Even for compromised accounts, the corresponding passwords are not stored in the database, reducing the risk of further compromise. Implementing a mathematical property called k-anonymity and the help of Cloudflare means your inputs into the tool are secure.

Use the built-in checker tool in password managers

Password managers are the best way to secure your online accounts. They suggest and store security codes in encrypted databases, ensuring you don't have to repeat or remember a code. Many password managers allow you to check the status of your codes to find out whether they're safe or compromised. Google's Password Manager, for example, has a password checkup feature to diagnose issues with your passwords. Here's how to check if your passwords have been leaked on Google Chrome:

  1. Open Chrome and log in to your Google account.
  2. Click the three dots in the upper-right corner.
  3. Choose Settings.
    Google Chrome with a red arrow pointing to the three dots and another red arrow pointing to Settings in a drop down menu.
  4. Select Privacy and security in the left menu.
  5. Click the blue Check Now button under Safety Check.
    The Google Chrome Privacy and security menu.

Chrome scans your saved passwords and looks for known leaks. The system displays alerts here, so stay on this page while it works its magic.

The Google Chrome safety check in action.

Another option is Dashlane, which provides dark web and password health monitoring.

A notable password manager is 1Password, which automatically runs background checks on your passwords and warns you of any compromise. This is due to the built-in Watchtower feature, which runs on Pwned Passwords' API. Like Pwned Passwords, it's updated when a new security breach is reported and added to the Have I Been Pwned database. And if any of your passwords are found in such a breach, you're alerted immediately.

Inspect your accounts for suspicious activities

Password managers and tools like Have I Been Pwned are good for catching account breaches before they escalate. However, most social accounts regularly send activity information that may uncover potential compromises. Google, for example, alerts you for a password change or when an unknown device signs in to your account. Always review such emails and take appropriate action where necessary.

Google Chrome has several security and privacy features. If you use it as your default browser, pay attention to pop-ups when you enter your passwords online. That's because the app can tap into a database of billions of reported breaches to warn you of a compromise as soon as you log in to a site.

Secure your accounts and passwords

Passwords have been with us since the beginning of the internet in the early 1990s, and they'll continue to be the primary method we use to secure our accounts. Things might change. Google, Apple, and Microsoft are slowly rolling out a new system called passkeys, which creates a nearly unhackable and unleakable security barrier. Passkeys are easier than passwords, as there is nothing to remember. We have a great explainer of these new security measures you can read.

In the meantime, don't reuse the same password for all your accounts. You can use a password manager to help you with this or let Google Chrome manage your passwords. Finally, if you must use the same passwords, secure them with two-factor authentication (2FA). It's a wild world out there on the web.