Quick Links

Key Takeaways

Use Have I Been Pwned? to see if one of your email addresses or usernames is part of a leak, or to check whether a password appears in a leaked database. Password managers like 1Password, Bitwarden, and Dashlane have this feature built-in, too.

Many websites have leaked passwords. Attackers can download databases of usernames and passwords and use them to "hack" your accounts. This is why you shouldn't reuse passwords for important websites, because a leak by one site can give attackers everything they need to sign into other accounts.

Have I Been Pwned?

Troy Hunt's Have I Been Pwned website maintains a database of username and password combinations from public leaks. These are taken from publicly available breaches that can be found via various sites on the web, or dark web. This database just makes it easier to check them yourself without visiting the sketchier parts of the web.

To use this tool, head to the main Have I Been Pwned? page and search for a username or email address. The results tell you whether your username or email address has ever appeared in a leaked database. Repeat this process to check multiple email addresses or usernames. You'll see which leaked password dumps your email address or username appears in, which in turn gives you information about passwords that might have been compromised.

If you want to get an email notification should your email address or username appear in a future leak, click the "Notify me" link at the top of the page and enter your email address.

The Have I Been Pwned? website saying an account is pwned.

You can also search for a password to see whether it has ever appeared in a leak. Head to the Pwned Passwords page on the Have I Been Pwned? website, type a password in the box, and then click the "pwned?" button. You'll see whether the password is in one of these databases and how many times it's been seen. Repeat this as many times as you like to check additional passwords.

We strongly recommend against typing your password on third-party websites that ask you for it. These can be used to steal your password if the website isn't honest. We recommend you only use the Have I Been Pwned? site, which is widely trusted and explains how your password is protected. In fact, 1Password, which is one of the best password managers, now has a button that uses the same API as the website, so it will send hashed copies of your passwords to this service, too. If you want to check whether your password has been leaked, this is the service you should do it with.

Have I Been Pwned? showing a password hasn't been leaked.

If an important password you use has been leaked, we recommend changing it immediately. You should use a password manager so it's easy to set strong, unique passwords for each important site you use. Two-factor authentication can also help protect your critical accounts, as it will prevent attacks from getting into them without an additional security code---even if they know the password.

1Password Watchtower

1Password, one of our favorite password managers, can now check whether your passwords have been leaked, too. In fact, 1Password uses the same Have I Been Pwned? service we covered above.

This is part of the 1Password Watchtower feature. To find it, open the 1Password app on your Windows PC, Mac, iPhone, iPad, Android phone, or whatever other device you use. Click the "Watchtower" option in the sidebar on a computer or tap the "Watchtower" button in the app.

1Password will check the Have I Been Pwned? database and inform you about any passwords that may be compromised. They'll be highlighted by a big red "Compromised Websites" message; click or tap the message to see the passwords you should change.

(Check out our 1Password review for more information about Watchtower and 1Password's other features.)

1Password's Watchtower showing a comrpomised password.

Bitwarden, Dashlane, and KeePassXC

Other top password managers have similar features that use the Have I Been Pwned? database. Here are a few:

  • Bitwarden: In Bitwarden, sign into your web vault, click "Reports" at the top of the page, and click "Data Breach Report." Your passwords will be checked against Have I Been Pwned?. (Take a look at our Bitwarden review for more details about Bitwarden.)
  • Dashlane: In Dashlane, open the "Tools" menu and select "Password Health." Dashlane will show you which passwords are "compromised." (Read our Dashlane review for more information about its features.)
  • KeePassXC: KeePassXC's developers think this feature isn't necessary and that you'd be better off looking up usernames and emails instead of your passwords in the database---here's KeePassXC's argument. You can look up usernames and email addresses from the Have I Been Pwned? website. There are some third-party extensions online that add Have I Been Pwned? lookup support to KeePassXC, but we haven't tested them and can't comment on whether they are secure and safe to use. As always when dealing with passwords, be careful what software you trust.

The most important thing you can do is to not reuse passwords, at least for important websites. Your email, online banking, shopping, social media, business, and other critical accounts should all have their own unique passwords, so a leak by one website doesn't put any other accounts at risk. Password managers help make strong unique passwords possible, ensuring you don't have to remember a hundred different passwords.