close
    search Buscar

    How to know if your password has been stolen

    Who I am
    Pau Monfort
    @paumonfort

    Item Feedback:

    content warning

    Following the revelation that a list containing millions of stolen usernames and passwords had appeared online, we tell you a few different ways to find out if your credentials were stolen in that or any other security breach.


    In mid-January, researcher Troy Hunt revealed that a list was floating around in MEGA cloud storage and several hacking forums. Named Collection # 1, it contains the largest organized password theft on a list to date, encompassing over 700 million email addresses and over 20 million passwords.



    Whenever we hear of something like this, it is natural to wonder if our email addresses and / or passwords we use to log into our accounts are among them or if they have been stolen as part of any other infiltration or breach of the safety.

    Finding out if our credentials have been stolen or not can also give us an idea if the passwords we are choosing when we sign up for a new service or when we update our password are sufficiently secure. In this article we will tell you how to find out if your email address or password has been stolen and to check if the passwords you are choosing are safe or not.


    The first service we'll see is Have I Been Pwned. This service allows users to check if our email address has been stolen and included in one of the various lists of email and password information circulating online. Also, their database is very up to date and includes emails and passwords that have been recently stolen.


    Upon entering the site a visitor will be able to view a database of over 6 billion accounts that have been stolen.


    We decided to check an email address and unfortunately saw that the address we entered had actually been stolen. Scrolling down the page, we saw more details on the types of services that compromised the email address we checked.


    For example, there are well-known cases like LinkedIn and Taringa data breaches, as well as some of the lists that regularly go around and contain data collected from various websites.

    Once we know, what can we do?

    It goes without saying that we should change our passwords on the websites mentioned, but as it is also very common for people to use the same credentials for more than one website or service, we need to change the stolen password on all the websites we use because, one Once our password is in someone else's hands, we can't know how many different websites they might try to log into with those credentials.


    When it comes to choosing a new password, another very useful tool on the same website is recommended.

    This time, the website indicates how many times the entered password was used and subsequently stolen.

    If we try to enter some of the passwords that tend to appear in the most used password rankings, incredible as it may seem, we get the following results:

    Password Number of times it has been stolen
    123456 23.174.662
    Costa degli Etruschi is the password 3.645.804
    QWERTY 3.810.555
    111111 3.093.220
    Google 183.778
    Facebook 64.811
    !A3Z6B:9#S.2 0

    As we can see, if we try a completely random password, there is a good chance that it is not related to any of the stolen / lost data and therefore probably has not been used or has not been decrypted. This gives us a good idea of ​​what makes a password secure, or at least less likely to end up in someone else's hands.



    Read also: How to improve the security of Windows 10?

    Another important thing to keep in mind when choosing a secure password, besides checking if it appears in a stolen password database, is to follow good practices.

    • Use a combination of alphanumeric characters
    • Use special characters
    • It should be at least 8 characters long (and more than 10 will give you even more confidence against a brute force attack)
    • Also, consider using two-factor authentication, which adds a second level of security in addition to your chosen password.

    But the most important thing is that it's easy to remember, if we have trouble remembering all the passwords, it's best to write it down on a piece of paper or, better yet, paste it under the monitor - or hide it in a safe area, hindsight. the security measures we have used will prove useless.

    For users using a password manager like KeePass, which allows for more secure combinations to be generated and stored encrypted within the password manager itself, there is an option to compare all the passwords stored within it with the Have I Been database. Pwned, thanks to a tool published on GitHub.

    The application is called kdbxpasswordpwned and it allows you to automatically compare all the passwords you have stored in KeePass against the stolen password database.

    Although the application is aimed at users with above average technical knowledge, the following detailed instructions should help make it easier to use.


    • First, install the application on your system (which must already have Python installed) using the following command line:

    $ pip install kdbxpasswordpwned


    • Once installed, go to the directory where your .kdbx file is located (.kdbx is the file format for the KeePass password manager) and run the following command:

    Kdbxpasswordpwned passkeys.kdbx

    As you might expect, it will ask you for the password for your encrypted file, so it can then compare each of the passwords you have stored in the manager. In this example, we can see that two of the example passwords we have stored have emerged as hits. So, if these were real passwords, this should prompt us to go ahead and change them immediately on the services we use them on.

    And to give one last tip in this post (because it's always worth paying attention to what cybercriminals do with the information they get), we should be cautious if we receive emails where the sender tries to extort money from us because they have the our passwords.

    We've noticed lately that fake Sextortion campaigns are still running, where the recipient is sent an email containing their password in the message (in the subject line or in the first few lines of the body text) and is asked to pay a sum of money.

    Remember to change your passwords regularly, even if the applications and services you use don't ask, and use two-factor authentication for services that allow it. This way, you can keep your personal data more secure and reduce the chances of someone else having access to it.

    Read also: Android Security Guide: Make Your Phone 100% Safe

    Further Reading:

    • The best password managers for Android if you are looking to leave LastPass
    • How to view saved passwords on Mac
    • Forgotten Wifi password, how to recover it
    • How to see password hidden by asterisks
    • How to know who is using my WiFi
    add a comment from How to know if your password has been stolen
    Comment sent successfully! We will review it in the next few hours.