Password check services.



  • Does anyone have an opinion on these security services that take your password and check to see if it has been compromised? I just cant get past the idea that, aren't you simply increasing the probability that your pattern or method of building passwords is now added to the pool for analysis???? Am I being paranoid?



  • @popester said in Password check services.:

    Am I being paranoid?

    Likely, but ofc that depends on the service.



  • some of those services at least claim that they are hashing your password in the browser, and only that hash is sent to the server for comparison against other known passwords.. in that case, it's much less of an issue.



  • @popester said in Password check services.:

    Does anyone have an opinion on these security services that take your password and check to see if it has been compromised? I just cant get past the idea that, aren't you simply increasing the probability that your pattern or method of building passwords is now added to the pool for analysis???? Am I being paranoid?

    You're not completely paranoid, but your concern is pointed in the wrong direction. Those password pool analysers only have already leaked passwords in them so far as I know. If you get a match, you need to go change that password asap.



  • @travisdh1 said in Password check services.:

    @popester said in Password check services.:

    Does anyone have an opinion on these security services that take your password and check to see if it has been compromised? I just cant get past the idea that, aren't you simply increasing the probability that your pattern or method of building passwords is now added to the pool for analysis???? Am I being paranoid?

    You're not completely paranoid, but your concern is pointed in the wrong direction. Those password pool analysers only have already leaked passwords in them so far as I know. If you get a match, you need to go change that password asap.

    Sure, but those sites could also easily be a "password gathering website" because people are typing in their currently used passwords...



  • @Dashrender said in Password check services.:

    @travisdh1 said in Password check services.:

    @popester said in Password check services.:

    Does anyone have an opinion on these security services that take your password and check to see if it has been compromised? I just cant get past the idea that, aren't you simply increasing the probability that your pattern or method of building passwords is now added to the pool for analysis???? Am I being paranoid?

    You're not completely paranoid, but your concern is pointed in the wrong direction. Those password pool analysers only have already leaked passwords in them so far as I know. If you get a match, you need to go change that password asap.

    Sure, but those sites could also easily be a "password gathering website" because people are typing in their currently used passwords...

    Where have you been? Firefox and Chrome have this built in now.



  • @travisdh1 said in Password check services.:

    @Dashrender said in Password check services.:

    @travisdh1 said in Password check services.:

    @popester said in Password check services.:

    Does anyone have an opinion on these security services that take your password and check to see if it has been compromised? I just cant get past the idea that, aren't you simply increasing the probability that your pattern or method of building passwords is now added to the pool for analysis???? Am I being paranoid?

    You're not completely paranoid, but your concern is pointed in the wrong direction. Those password pool analysers only have already leaked passwords in them so far as I know. If you get a match, you need to go change that password asap.

    Sure, but those sites could also easily be a "password gathering website" because people are typing in their currently used passwords...

    Where have you been? Firefox and Chrome have this built in now.

    uh - no where - I know they have.. but the OP didn't ask about using the built in functionality - he specifically asked about websites.



  • @Dashrender said in Password check services.:

    @travisdh1 said in Password check services.:

    @Dashrender said in Password check services.:

    @travisdh1 said in Password check services.:

    @popester said in Password check services.:

    Does anyone have an opinion on these security services that take your password and check to see if it has been compromised? I just cant get past the idea that, aren't you simply increasing the probability that your pattern or method of building passwords is now added to the pool for analysis???? Am I being paranoid?

    You're not completely paranoid, but your concern is pointed in the wrong direction. Those password pool analysers only have already leaked passwords in them so far as I know. If you get a match, you need to go change that password asap.

    Sure, but those sites could also easily be a "password gathering website" because people are typing in their currently used passwords...

    Where have you been? Firefox and Chrome have this built in now.

    uh - no where - I know they have.. but the OP didn't ask about using the built in functionality - he specifically asked about websites.

    Still the same. I forget off the top of my head which is the original, but they're all sourced from the same database. Now I'm going to kick myself till I remember which website it the original/best.



  • @travisdh1 said in Password check services.:

    @Dashrender said in Password check services.:

    @travisdh1 said in Password check services.:

    @Dashrender said in Password check services.:

    @travisdh1 said in Password check services.:

    @popester said in Password check services.:

    Does anyone have an opinion on these security services that take your password and check to see if it has been compromised? I just cant get past the idea that, aren't you simply increasing the probability that your pattern or method of building passwords is now added to the pool for analysis???? Am I being paranoid?

    You're not completely paranoid, but your concern is pointed in the wrong direction. Those password pool analysers only have already leaked passwords in them so far as I know. If you get a match, you need to go change that password asap.

    Sure, but those sites could also easily be a "password gathering website" because people are typing in their currently used passwords...

    Where have you been? Firefox and Chrome have this built in now.

    uh - no where - I know they have.. but the OP didn't ask about using the built in functionality - he specifically asked about websites.

    Still the same. I forget off the top of my head which is the original, but they're all sourced from the same database. Now I'm going to kick myself till I remember which website it the original/best.

    The source database is irrelevant.

    What matters is knowing who is running the site that is comparing your password to a copy of the database.



  • For example, https://haveibeenpwned.com/Passwords?
    40760a69-b2e5-4c3f-b99c-30157b7772dc-image.png

    This one is legit. But if they did keep a list of passwords entered, it's not the end of the world, especially with 2FA/MFA, and the fact it would have to align on the correct website with the correct username/email.



  • I don't want to be that guy, but you could take the time you are spending worrying about this, and just change all of your passwords and be done with it.



  • @s-hackleman said in Password check services.:

    I don't want to be that guy, but you could take the time you are spending worrying about this, and just change all of your passwords and be done with it.

    Hell - Lastpass can do that for you for many websites.



  • @s-hackleman said in Password check services.:

    I don't want to be that guy, but you could take the time you are spending worrying about this, and just change all of your passwords and be done with it.

    The question was more for an understanding of "Could this be an issue?" @Dashrender I have been using lastpass for the past 3 years. I irritate everyone that needs to type in a password I have issued, because they are 20 char upper, lower, symbol mix. I wanted to ping the group and see if people who ask me if it is smart and legit so I could say yay or nay with confidence.
    That's all. 🙂



  • @popester said in Password check services.:

    @s-hackleman said in Password check services.:

    I don't want to be that guy, but you could take the time you are spending worrying about this, and just change all of your passwords and be done with it.

    The question was more for an understanding of "Could this be an issue?" @Dashrender I have been using lastpass for the past 3 years. I irritate everyone that needs to type in a password I have issued, because they are 20 char upper, lower, symbol mix. I wanted to ping the group and see if people who ask me if it is smart and legit so I could say yay or nay with confidence.
    That's all. 🙂

    Of course - I understand why you asked about the service - normal users might ask you, you want to have an understanding why you do or don't recommend one or more of them.


Log in to reply