How can I find if my password has been posted online?

Probably the most comprehensive database of searchable compromised accounts is haveibeenpwned.com.

If you've reused the password in multiple places then yes you should assume that password has been compromised. I also recommend enabling two-factor authentication wherever possible as this will reduce the risk of one account being compromised leading to other accounts being compromised.


The great news is that https://api.pwnedpasswords.com/range/ABCDE lets you achieve the goal of checking your password without exposing it to anyone.

How does it work?

https://haveibeenpwned.com/Passwords links to https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/#cloudflareprivacyandkanonymity, which describes how they offer "k-Anonymity".

Basically, instead of sending your actual password, you first generate a sha1 hash of your password and then send only the first 5 characters of that. The pwnedpasswords service will then respond with a list of hundreds of possible matches, and you then search from among those results (using the rest of the sha1 hash of your password) to see if any of those are really a match to the full hash of your password.

Using this approach, neither your password nor even the full sha1 hash of your password ever get sent across the internet to pwnedpasswords.

P.S. As an example, the sha1 hash of "P@ssw0rd" is 21BD12DC183F740EE76F27B78EB39C8AD972A757, and https://api.pwnedpasswords.com/range/21bd1 currently shows (when you search for the rest of the hash from among the results) that it has been found leaked 52579 times.

P.P.S. There are also tools built in to Windows and Mac for generating the sha1 hash of a password.

Tags:

Passwords