Check If Your Passwords Are Already For Sale
Most accounts do not get broken into. They get opened with a password that leaked somewhere else and got reused. Billions of email-and-password pairs sit in public breach dumps right now, and the only question that matters is whether yours is one of them. This takes two minutes to check and ten to fix for good. Defensive and self-only: check your own addresses and your family's, then lock them down.
Step 1: Check your email against the breaches
Have I Been Pwned holds the public breach dumps in one searchable place. Put in your email and it lists every known breach it has appeared in, the date, and exactly what leaked each time: password, phone, date of birth, address. Check every email you use, the old one matters as much as the current one.
haveibeenpwned.comStep 2: Read the result honestly
Green and clean: good, keep the habits below anyway. Listed in one or more breaches: assume any password you used on those sites is public, and assume anywhere you reused it is now reachable. That is the real risk. Not the old site itself, but everywhere you typed the same password. Make a mental list of those places, you are about to fix them.
Step 3: Check the passwords themselves
Have I Been Pwned has a second tool, Pwned Passwords, that tells you whether a specific password has ever appeared in a breach, without ever sending the real password, it checks by partial fingerprint. If a password you still use comes back as seen, it is burned. Retire it everywhere.
haveibeenpwned.com/PasswordsThe two-minute lockdown
You do not need to fix every account tonight. You need to make the leaked ones useless. In order of payoff: 1. Get a password manager. Bitwarden is free and good. It generates and remembers a different password for every site, which is the entire fix, reuse is the actual problem. 2. Change the email password first. Your email is the master key, every reset-password link lands there. Make it long, unique, and stored in the manager. 3. Turn on two-factor everywhere it is offered. Prefer an authenticator app over text-message codes, SIM swapping makes texts the weakest kind. 4. Use passkeys where you can. They cannot be phished or leaked the way passwords are, and most big services now support them.
The one account to protect above all
If you do nothing else, lock your primary email. It is the recovery address for everything you own, so whoever controls it controls your bank, your socials, your cloud. Give it a unique long password, authenticator-based two-factor, and check the recent-activity and forwarding settings while you are in there. Everything else is downstream of this one.
Get the next one first
New prompts every week.
Free. The new drops and the tools behind them, before they hit the feed.
No spam · New issues Sunday · Unsubscribe anytime
Need it custom?
Want this built for you?
Tell me the idea and I’ll build it. An app, a tool, an automation. You don’t need to be technical.