In the modern world, data breaches happen with startling regularity. They can happen to giant credit monitoring firms, social networks, or the fast food restaurant down the street. In late 2017, a security research firm found 1.4 billion stolen usernames and passwords floating around unencrypted on the Dark Web, giving even the most unsophisticated hackers a shot at your online accounts. In many cases, you may not realize that your account has been compromised.
As CNET reports, a security tool called Pwned Passwords can help you figure out with a simple search which of your passwords has already been leaked. Created by a regional director at Microsoft named Troy Hunt in August 2017, the free site is designed to make it as easy as possible to check the security of your online accounts. It's as simple as entering your password into the search bar. In February 2018, Hunt updated his original site to include passwords from more major breaches. The database now features half a billion passwords that have been leaked as part of hacks on sites like MySpace, LinkedIn, DropBox, and Gawker. Some are sourced from breaches you may not have even heard of, but which still contained your information.
"Data breaches are rampant and many people don't appreciate the scale or frequency with which they occur," Hunt writes on the site. When he analyzes the user credentials leaked after big hacks like the one on Adobe in 2013, he finds that he will keep seeing "same accounts exposed over and over again, often with the same passwords." And once that password is leaked once, that puts all the other accounts that you use that password for at risk, too.
So if you're one of those people who uses the same password for multiple accounts—we know, it's hard to remember a different password for every website you ever visit—now would be a good time to see whether that password has ever been part of a data breach. Pwned Password will tell you if your password has been revealed as part of any major data breaches, and which ones. (CNET advises against searching your current passwords, since revealing that info to third parties is never a good idea, but checking old passwords you no longer use is OK.)
I, for one, searched a standard password I've been using for a steady rotation of online accounts since high school, and found out it has been spotted 135 different times as part of data breaches. Oh boy. (Presumably, those might not all be related to my accounts, instead coming from other people out there in the world who base their passwords off tidbits from The Fairly OddParents, but who knows.)
If, like mine, your passwords show up on Pwned Passwords, you should update them as soon as possible. (Here are some good tips on coming up with secure ones. Maybe don't use "password.") This would also be a good time to get yourself a password manager, like LastPass or 1Password.
The latter service actually has a Pwned Password integration so that you can check each of the passwords stored in your 1Password with Pwned Password. If you use LastPass, the service's security checkup can also search for potential data breaches in your roster, but it looks for leaked usernames, not passwords.