Fred Langa: Use Google’s new Password Checker extension for Chrome to see if your passwords have been compromised

Topic

New Reply

Fred’s at it again. His latest Langa.com article talks about a new Chrome extension that specifically checks to see if the password you’re entering ha
[See the full post at: Fred Langa: Use Google’s new Password Checker extension for Chrome to see if your passwords have been compromised]

4 users thanked author for this post.

RockJohny, abbodi86, jburk07, Joulia.S

Reply | Quote

Replies

I don’t personally like those sites/apps where you have to hand them your email address and password to see if they’ve been compromised – it’s so easy for that process to go horribly wrong.

As for this particular process, I guess much depends on how much trust you place in Google!

5 users thanked author for this post.

Noel Carboni, wavy, Myst, bobcat5536, Microfix

Reply | Quote

I agree….that info is best kept, and not given out to anyone. Who knows where it could end up at.

1 user thanked author for this post.

Myst

Reply | Quote

What does it mean a password is compromised?

Reply | Quote

It means the password has been exposed to hackers at some point – usually through a major data breach of a website.

Win10 Pro x64 22H2, Win10 Home 22H2, Linux Mint + a cat with 'tortitude'.

Reply | Quote

I just installed it and it say’s that none of my passwords have turned up in any Breaches. As to trusting Google, I use “Save Passwords” for certain sites so there’s already a certain amount of trust involved and it’s nice to know that none of those saved passwords are compromised.

Don't take yourself so seriously, no one else does 🙂
All W10 Pro at 22H2,(2 Desktops, 1 Laptop).

Reply | Quote

I don’t use any browser password manager. Passwords stored in browsers just seem too vulnerable to hacking. I use KeePass 2.x only. It may not be as convenient as a browser password manager but it is a smaller attack surface.

As for checking passwords against breach databases, I use a plug-in for KeePass 2.x called HIBP Offline Check. See gHacks: https://www.ghacks.net/2019/01/18/check-all-keepass-passwords-against-the-have-i-been-pwned-database-locally/

I keep a watch for updates to the breach database, download updated database and check all my passwords LOCALLY.

I just don’t trust Google. They’ve broken trust one too many times. https://www.msn.com/en-us/news/technology/google-has-quietly-dropped-ban-on-personally-identifiable-web-tracking/ar-BBTdBQR

Win10 Pro x64 22H2, Win10 Home 22H2, Linux Mint + a cat with 'tortitude'.

7 users thanked author for this post.

RockJohny, Elly, SueW, rc primak, Fred, Myst, b

Reply | Quote

I am too paranoid to use those tools… i change my pw, here and there,  I can’t trust nobody!  But I do use  the email feature, HaveIbeenhacked.

1 user thanked author for this post.

Fred

Reply | Quote

Thanks for the comments, guys!

I understand the uneasiness of asking a Google product to explicitly examine your passwords. But if Google wanted that information, they could get it from Chrome, the password manager, auto-fill, page caching and prediction, the Google DNS service, etc etc etc…

I just don’t see any special, additional hazard in this service; and there is a potential benefit.

2 users thanked author for this post.

Joulia.S, Seff

Reply | Quote

Thanks.

Has it ever been established how secure extensions are as compared with the base browser? Do browser updates include security updates to your extensions or only to the browser?

Reply | Quote

It varies by the type of extension, who wrote the extension and when, and how up to date your browser is. Among many other factors. Bottom line is, many, many times over the years, big purges have had to happen in Chrome Extensions to weed out truly malicious extensions. The Store is simply not that well curated and vetted. I do not trust Chrome extensions with any personal info. In fact, I use one extension, Click and Clean (HotCleaner) to remove all traces which can be removed easily, every time I close Chrome. I store nothing, absolutely NOTHING in my browsers on purpose.

-- rc primak

1 user thanked author for this post.

Bluetrix

Reply | Quote

I don’t use Chrome. I don’t use Google Search. I do use NoScript and uBlock Origin to block all things Google (except in rare cases).  Plus I use several other privacy extensions and browser settings/tweaks. I don’t use browser password features or predictive searches or autofill. I don’t have an Android smartphone. Etc.

For me, convenience is not worth paying for with surveillance. Understanding and due diligence are the best defenses, imperfect though they may be. Just because motivated burglars can break into your house in many different ways, doesn’t mean one should leave all the doors and windows unlocked.   😉   ymmv.

1 user thanked author for this post.

rc primak

Reply | Quote

Ahem … call me paranoid, but to give google even more than they take from you now without your permission?  I think not. We as computer dummies (collectively) look to the likes of Woody, Fred et al, for guidance on how to prevent dissimulation of our personal information. I would think passwords fall into that category. Better mouse trap my foot, just another trap that when sprung they say, Ooops, sorry about that folks, won’t happen again.

How many times have we been warned that once it’s out there, no do overs. Meanwhile WE suffer any possible consequences, and the clean up is left to the unwashed masses. I would have about as much trust/faith in this (expletive deleted) as I do in Microsoft’s Edge browser extension, NewsGuard. Yeah, right, laughed myself to sleep over that one.

No thank you. Needless to say I don’t trust google. (but I will say it)
 
ymmv, My guess is that people who read websites such as this already know how to manage their PW’s and know enough to change them often on data sensitive sites they visit, or they should.

… but perhaps I should have posted this in the ‘rants’ section. Ooops, won’t happen again, I promise. 🙂

4 users thanked author for this post.

rc primak, Pepsiboy, Nibbled To Death By Ducks, wdburt1

Reply | Quote

Google doesn’t receive your passwords by means of this check extension, but I wonder why it needs a sign-in to a Google account?

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

1 user thanked author for this post.

rc primak

Reply | Quote

So that they can track you after you use their extension. That’s why. Among other reasons. None any prettier.

Did you know that after you sign out of your account inside the Chrome browser, you are not really signed out? Not until you go through the obscure process of REMOVING your account from Chrome, and clear the cache.

They make it so easy to be paranoid of them, don’t they?

-- rc primak

1 user thanked author for this post.

Bluetrix

Reply | Quote

I’m really on the fence on this one, so I am going to wait, especially since Gungle admits this is “experimental”; I’m nobody’s beta tester, thank you!

I’m just going to follow the old Zoroastrian rule: “If you think something you’re going to do might be wrong, don’t do it.”

Or, put another way, a Native American once said, “If you think of doing a thing, think about it first for two days, then think about it again. If you’re still unsure, take another two days. If still uneasy, think a third time, then make your decision. Then you will at least know that you really thought about it, and you have less chance of a mistake.”

(This does not apply in emergencies, like that flaming semi coming at you, the pedestrian. RUN!)

Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Greenhorn
--
"Nine out of 10 doctors say Acid Reflux is mainly caused by computers."

1 user thanked author for this post.

rc primak

Reply | Quote

b wrote:

Google doesn’t receive your passwords by means of this check extension, but I wonder why it needs a sign-in to a Google account?

Probably because you have to be signed in to install it as an extension to Chrome.

Don't take yourself so seriously, no one else does 🙂
All W10 Pro at 22H2,(2 Desktops, 1 Laptop).

Reply | Quote

No, I was just able to install it without signing in. (I’m not sure I’ve ever had a Google account.)

So Google’s instructions for this Password Checkup extension are deficient in more ways than one.

(Why would they not make it explicitly obvious that your passwords are not sent to Google?)

The Chrome web store does a little better:

Wherever you sign-in, if you enter a username and password that is no longer safe due to appearing in a data breach known to Google, you’ll receive an alert. Please reset your password. If you use the same username and password for any other accounts, please reset your password there as well.

Password Checkup was built with privacy in mind. It never reports any identifying information about your accounts, passwords, or device. We do report anonymous information about the number of lookups that surface an unsafe credential, whether an alert leads to a password change, and the domain involved for improving site coverage. You can learn more about how Password Checkup works at https://support.google.com/accounts?p=password-checkup. (NOT!)

Password Checkup (Offered by: google.com)

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

1 user thanked author for this post.

rc primak

Reply | Quote

See my previous comment about not really being signed out.

-- rc primak

Reply | Quote

I didn’t have to sign in to use Password Checkup either.

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

1 user thanked author for this post.

rc primak

Reply | Quote

Seff wrote:

Thanks. Has it ever been established how secure extensions are as compared with the base browser? Do browser updates include security updates to your extensions or only to the browser?

Yes!  I’d like to know this too….although my suspicion is is that updates to extensions are not…I could be wrong. Input?

In the meantime, my passwords are written in Coptic, and stored in a basement in a closet behind the sign “Beware the Leopard.” (Tip of the hat to Douglas Adams)

Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Greenhorn
--
"Nine out of 10 doctors say Acid Reflux is mainly caused by computers."

Reply | Quote

See my previous comment. It ain’t a pretty picture!

-- rc primak

Reply | Quote

I keep those kinds of information I like to keep private in a text document, encrypted and with the name of something totally unrelated to personal info, and make current hard copies in case something gets deleted by mistake when I am using it. When I need a password, I go and open the text document and copy the always long and complex password to its clipboard and then paste it in the appropriate field of the login box of a site I need to use at that moment. It can be a bit of a hassle, compared to, e.g., using a password manager. But I feel better protected this way.

I don’t think this is 100% safe, because a site I am logging in might be compromised by infecting spyware. But in life I don’t believe that there is anything 100% safe, so everything is something of a gamble.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

2 users thanked author for this post.

Myst, Fred

Reply | Quote

Some sites still don’t permit pasting passwords, despite it being considered far safer than typing them.

4 users thanked author for this post.

rc primak, jburk07, Bluetrix, OscarCP

Reply | Quote

Kirsty wrote:

Some sites still don’t permit pasting passwords, despite it being considered far safer than typing them.

Perfect example of bio-metrics at work. I will not go into a long explanation on how bio-metrics works, but suffice to say the time you take to enter a PW can and is being measured. That’s only one facet and example of how bio-metrics are used by many institutions. What can be discerned from the time it takes to enter a PW, and how you enter a PW, as in pauses between keystrokes says a lot. NYT isn’t my 1st choice for news, but this article is probably spot on. Read a bit here:

https://www.nytimes.com/2018/08/13/business/behavioral-biometrics-banks-security.html

Scary eh?

2 users thanked author for this post.

Steve S., Nibbled To Death By Ducks

Reply | Quote

OscarCP wrote:

I keep those kinds of information I like to keep private in a text document, encrypted and with the name of something totally unrelated to personal info, and make current hard copies in case something gets deleted by mistake when I am using it. When I need a password, I go and open the text document and copy the always long and complex password to its clipboard and then paste it in the appropriate field of the login box of a site I need to use at that moment. It can be a bit of a hassle, compared to, e.g., using a password manager. But I feel better protected this way. I don’t think this is 100% safe, because a site I am logging in might be compromised by infecting spyware. But in life I don’t believe that there is anything 100% safe, so everything is something of a gamble.

This is brrr, scary ….

https://isc.sans.edu/forums/diary/Phishing+Kit+with+JavaScript+Keylogger/24622/

.

* _ the metaverse is poisonous _ *

2 users thanked author for this post.

rc primak, OscarCP

Reply | Quote

Twice, in recent days, I have received the same email, allegedly from Verizon, looking quite like something Verizon, my ISP, would send me, to the effect that there was “currently an outage” in my area and they “apologized for the inconvenience while working to fix it.” Also, telling me that to see current information on this problem, I had to click the button underneath. Which, I imagine, would then require “logging in to your account”, with my Verizon email password. Which brings me to the topic of passwords security. None of the precautions I adopt, described earlier in my entry copied by fred above, would have protected me from the email password being stolen, had this been a phishing attempt and had I made myself its victim by trusting that either email was a legitimate message from the ISP and followed the instructions there.

Preferring to stay ignorant rather than to be sorry, I deleted both emails. Obviously, right where I was, there was no Internet blackout in either occasion, given the fact that both emails did come through alright, and that I had no problems browsing sites on the Web, which I was doing both times this happened. Were these cleverly disguised phishing attempts, or were they “for real”?

I’ll never know, but sometimes it’s true that ignorance can be bliss.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

You can check whether links in email messages are genuine.

Rather than click a link, I use right-click, get a copy of the link then paste in my browser’s URL bar where I examine it closely before making a decision whether or not to enter it.

This web page  explains things in more detail that I would. Obviously wrong links are easy but you need to be cautious that the link is not a slightly misspelled variation of what you may be expecting. If uncertain, research the top level domain.

NOTE: You can check links in websites even more easily. Hover over ‘This web page’ above without clicking  and note what happens in the lower left-hand corner of your browser.

1 user thanked author for this post.

Nibbled To Death By Ducks

Reply | Quote

A good rule is never to click on a link in an email. If you think that the email might be genuine, or even believe that it is, it is always safer to log in to the linked site by using your normal bookmark or googling it as appropriate.

1 user thanked author for this post.

Nibbled To Death By Ducks

Reply | Quote

I got this mail (3 times) from “Google”

Sent by :
from: Final Notice <qbqkk@aulowcca.com>;
reply-to: Google Security <Banana@pulpfiction.vip>;,
Google Security <Raisin@shawshank.space>;,
Google Security <Haddock@redemption19.xyz>;,
Google Security <Partridge@inglourious.in>;,
Google Security <Thyme@tomhanks.xyz>;,
Google Security <Lime@edwardnorton.cc>;,
Google Security <Donair@liamneeson.app>;,
Google Security <arrowroot@jakegyllenhaal.club>;,
Google Security <Pineapple@gclooney.xyz>;,
Google Security <Pasta@johnny-depp.vip>;,
Google Security <Pomelo@denzelwashington.info>;,
Google Security <denjang@mattdamon.space>;,
Google Security <king@gustaf.space>;,
Google Security <Shank@tommyflanagan.club>;,
Google Security <Monkfish@bestofmor.com>;

Dear Gmail™ Customer,

You submitted a request to terminate your Gmail mail account and the process has started by our Gmail™ Team, Please give us 3 working days to close your mail account.

To cancel the termination request reply to this mail.

All files on your Gmail mail including (Inbox, Sent, Spam, Trash, Draft) will be deleted and access to your Gmail™ mail account will be Denied.

If you wish to Terminate your Email Address, you can Sign Up for a new Gmail™ account.

For further help please contact by replying to this mail.

Regards,
Gmail™ Account Services

Usually Google/Gmail is good with flagging spam mail but these passed as legitimate even though it was a fishing attempt.

1 user thanked author for this post.

Elly

Reply | Quote

Alex – if you clicked on the blob in the message to terminate your Gmail account, I suspect that all that you may have done is to propogate this campaign towards this list of fifteen eMail addresses, when you could have ignored it.

It’s best to check for this type of behaviour by hovering over the blob in the message, and the window will show what you might be about to do.

Dell E5570 Latitude, Intel Core i5 6440@2.60 GHz, 8.00 GB - Win 10 Pro

Reply | Quote

I keep a hand-written note of my passwords. Mrs Seff assures me that they are entirely safe as nobody could ever read my writing…

3 users thanked author for this post.

Myst, rc primak, Microfix

Reply | Quote

Just keep it away from the computer and away from prying eyes and you’ll be fine. This assumes you live alone, which obviously, you don’t.

-- rc primak

Reply | Quote

Philomene123 wrote:

I am too paranoid to use those tools… i change my pw, here and there, I can’t trust nobody! But I do use the email feature, HaveIbeenhacked.

Another 2 sites, can be useful

ScatteredSecrets.Com
HaveIbeenPowned.com
HaveIBeenPwned.com

.

* _ the metaverse is poisonous _ *

3 users thanked author for this post.

Philomene123, rc primak, columbia2011

Reply | Quote

People possibly know but it needs to be made crystal clear that the extension is nothing to do with how strong your password is or what method you use to manage it. Whether you store you password on a bit of paper, inside an encrypted document, local database or online database is irrelevant. If a hacker grabs it via MITM attack you may be in trouble.

The way I read it, Password Checker extension is about receiving notification IF your username AND password is hacked (or otherwise obtained), IF the problem is detected, and IF the Google Password Checker system finds it. After that, preventing problems becomes a matter of you receiving notification in time to change your password, shutting the door on the hacker or whoever buys the data from the hacker.

Unlike Password Checker extension, haveibeenpwned is about whether you email address logon (i.e. not email and password, just email) has been hacked.

Theoretically, use both you are better covered for receipt of notification if you use both. In practice, Googles Password Checker has not yet proven itself.

Reply | Quote

HACKERS ARE PASSING AROUND A MEGALEAK OF 2.2 BILLION RECORDS

Earlier this month, security researcher Troy Hunt identified the first tranche of that mega-dump, named Collection #1 by its anonymous creator, a patched-together set of breached databases Hunt said represented 773 million unique usernames and passwords. Now other researchers have obtained and analyzed an additional vast database called Collections #2–5, which amounts to 845 gigabytes of stolen data and 25 billion records in all…

https:// www. wired. com/ story/collection-leak-usernames-passwords-billions/

You can check for hacked mail/password here too : https://sec.hpi.de/ilc/search

Reply | Quote

People possibly know but it needs to be made crystal clear that the extension is nothing to do with how strong your password is or what method you use to manage it. Whether you store you password on a bit of paper, inside an encrypted document, local database or online database is irrelevant. If a hacker grabs it via MITM attack you may be in trouble.

The way I read it, Password Checker extension is about receiving notification IF your username AND password is hacked (or otherwise obtained), IF the problem is detected, and IF the Google Password Checker system finds it. After that, preventing problems becomes a matter of you receiving notification in time to change your password, shutting the door on the hacker or whoever buys the data from the hacker.

Unlike Password Checker extension, haveibeenpwned is about whether you email address logon (i.e. not email and password, just email) has been hacked.

Theoretically, use both you are better covered for receipt of notification if you use both. In practice, Googles Password Checker has not yet proven itself.

1 user thanked author for this post.

rc primak

Reply | Quote

Well I’m somewhat bemused and untrusting of ANY online password checker, I’ve got them written down in an age old little book from around 1993 and stored digitally offline. The book reads like egyptian heiroglyphs even the websites are coded so useless to anyone else.

No problem can be solved from the same level of consciousness that created IT- AE

3 users thanked author for this post.

Nibbled To Death By Ducks, Myst, Bluetrix

Reply | Quote

Password strength can be checked online. Password managers also do this service. Some sites will  show you how strong your password is as you create it.

-- rc primak

Reply | Quote

Microfix wrote:

Well I’m somewhat bemused and untrusting of ANY online password checker.

Yeah, what he said. I think recommending  *new and/or improved* security add-on’s are actually doing a disservice to users. Many will believe everything they are told or read. After all, it was on the internet so it has to be true, yes?  I venture that most readers of this and other sites like it have a clue as to what can be believed from the get go, and what to raise an eyebrow to.

What I find especially onerous about this PW checker is the false sense of security it may foster on unwitting users. Those users are, imho lazy, they rely on such inane fluff to protect them, when with just a tiny bit of understanding on what to do and what not to do it’s much safer to DIY. But they won’t go that far, rather they will let an  add-on dupe them into even more complacent computer use behavior. Online complacency can never be a good thing, it’s one reason sites such as AskWoody exist.

This PW add-on may very well provide a sense of security, whether it’s a false sense or not, however it’s my belief that anytime a person surrenders private security information to a third party they put themselves at more risk, not less.

3 users thanked author for this post.

rc primak, OscarCP, Myst

Reply | Quote

What is missing from this discussion is that there are better alternatives to passwords.

A hardware key like YubiKey is now being pushed by Google, Microsoft and other major tech players. Combined with biometrics of some sort and two-factor verification, this is better than a password system. Unless you lose the key or fail to report it stolen, you don’t need to remember anything else, not even a Master Password. And you can’t leave your eyeballs at home or somewhere by accident.

-- rc primak

1 user thanked author for this post.

Fred

Reply | Quote

Why have none of the spyware paranoid people come up with the idea that a Yubikey may be a spy device. After all, each key has something that uniquely identifies it and you give your name and address when you buy it <eye roll>.

2 users thanked author for this post.

rc primak, Nibbled To Death By Ducks

Reply | Quote

anonymous wrote:

Why have none of the spyware paranoid people come up with the idea that a Yubikey may be a spy device. After all, each key has something that uniquely identifies it and you give your name and address when you buy it

Perhaps because Yubikey isn’t as ubiquitous as a popular browser add-on offering. One has to actively seek Yubikey out. That seeking out activity is a conscious thought, something that many users fail to avail themselves of.

Reply | Quote

I used the YubiKey brand. I should have referenced the generic type. A USB key device can be made by other manufacturers, or even created by a company or an ambitious individual. So you don’t have to trust that this brand is not a spyware device. You can if you really want a project, create your own from scratch, then register its signed PGP Key yourself. Or get a tech-savvy friend to do this for you — if you trust that friend.

-- rc primak

1 user thanked author for this post.

columbia2011

Reply | Quote

I don’t use Google (not directly, anyway) and I don’t use Chrome.  My passwords are in a password protected Excel spreadsheet, and no, the spreadsheet filename is not “passwords”.  My financial institution uses two-factor authentication if a logon is attempted from a PC that is not registered in their database.  When I restore a drive image, I have to go through the two-factor steps to re-register my PC.

My OneDrive account is protected with two-factor authentication, as well.  Not much else is critical for me.  There isn’t much in the way of useful identity theft resources available on the sites I visit with any regularity.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We were all once "Average Users". We all have our own reasons for doing the things that we do with our systems, we don't need anyone's approval, and we don't all have to do the same things.

Computer Specs

1 user thanked author for this post.

rc primak

Reply | Quote

Most passwords should be treated like toilet paper – used once and then flushed away.

Super important accounts that can cause much grief if they get taken over by the bad guys such as banks, cell provider, online shopping sites etc should be protected by a password that is changed every few times you login or at least every couple of weeks. After you have been made poor or discover that replacement credit cards/purchases have been mailed to an unintended address is too late.

A good password manager makes doing this a snap. A couple of clicks and you are done. Good passwords aren’t something you can remember and would be a tribulation to type each time. Click, click, click, new password and you never even need to know what the password is. Making it easy to generate a random 25 character password and recall it later might actually convince some to change their passwords just for the sheer joy of doing so.

Changing your passwords often is much better security than worrying if a password has been compromised or for how long that stolen password will still work. The tools are there to use, you just have to change they way you have always done passwords and choose to use the tools to their potential.

2 users thanked author for this post.

rc primak, Bluetrix

Reply | Quote

OscarCP wrote:

I keep those kinds of information I like to keep private in a text document, encrypted and with the name of something totally unrelated to personal info, and make current hard copies in case something gets deleted by mistake when I am using it. When I need a password, I go and open the text document and copy the always long and complex password to its clipboard and then paste it in the appropriate field of the login box of a site I need to use at that moment. It can be a bit of a hassle, compared to, e.g., using a password manager. But I feel better protected this way. I don’t think this is 100% safe, because a site I am logging in might be compromised by infecting spyware. But in life I don’t believe that there is anything 100% safe, so everything is something of a gamble.

Used to do that as well, until we had a fire, had to move, and the main workstation that the encrypted file was on was water damaged. (Yes, I had backups, but the incident gave me the spooks…what if the backups were corrupted? Then I moved to multiple backups in different locations.) Now I do both encrypted on-drive AND written down in a obscure ancient language in a notebook  that rests in a very secure area.

But I trust Google about as far as I can throw a grand piano. (Sorry. Too much time spent pulling Android’s snooper-teeth on my phone.)

Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Greenhorn
--
"Nine out of 10 doctors say Acid Reflux is mainly caused by computers."

2 users thanked author for this post.

rc primak, OscarCP

Reply | Quote

NTDBD, On your DIY alternative to third-party applications to secure one’s passwords:

One might still have a problem in case of nuclear attack, but otherwise I cannot agree more with you. Certainly a fire is one of my worries, along with flooding, e.g. when air-conditioning moisture accumulated in the convector pipes connecting several apartments in successive floors where I live, start cascading into living rooms and bedrooms, after building up its volume in those pipes for weeks and weeks, thanks to something clogging up the pipes. Great fun with a mop and bucket ensues.

I’m not sure about the need for an obscure language. Maybe Pig Latin could be put into service instead? Not many of the Twitter generation have fully mastered it, I imagine.

Anyhow, one way to keep a hard copy safe is in a bank vault, such as the one where I keep already my most important documents. But the frequent need to update it due to frequent changes in passwords (as also recommended here, and a definitely good practice) makes keeping something in a bank vault a bit of a hassle. For example, it does reduce the time one has available to have a life.

 

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Seff wrote:

A good rule is never to click on a link in an email. If you think that the email might be genuine, or even believe that it is, it is always safer to log in to the linked site by using your normal bookmark or googling it as appropriate.

Absolutely.  If you must click on that link, some email programs like Thunderbird let you see what the link REALLY points to if you just hover your mouse/pointer/whatever over it.

Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Greenhorn
--
"Nine out of 10 doctors say Acid Reflux is mainly caused by computers."

2 users thanked author for this post.

rc primak, OscarCP

Reply | Quote

For any unfortunate soul who uses this or any other password checking service, then finds their favorite password listed, the first piece of advice is to change your password. Does it require this extra step? If you feel the urge to install a password checker extension, or use an online service, just change your password. No one else need be involved. Job done.

Reply | Quote

For how many different sites and how often?

The Password Checker extension checks for a breached username/password combination every time you log into a site through Chrome. Would you be prepared to change your password every time you use one?

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

2 users thanked author for this post.

rc primak, CADesertRat

Reply | Quote

People may choose to use or not use the extension, depending on personal circumstances, needs and wants but they  should balance up their wish for privacy against against their need for security.

To put it bluntly, it does not concern me if your choice is different to my choice. However, you should make and educated choice.  Here is one example why you might consider the extension a security advantage.

For those who think haveibeenpwned will warn you about all detected account hacks, think again. The extension and haveibeenpwned work differently. Subject to a hack being detected, if you log onto a website using email address, haveibeenpwned can warn you. If you log on with a username it cannot warn you.

While warnings can be helpful, you need to be open to discovering breaches via other methods. I discovered the 92,000,000 account MyHeritage hack via RSS feeds. However, hacks are happening all the time. Only big ones get the headlines.

 

Group A (but Telemetry disabled Tasks and Registry)
1) Dell Inspiron with Win 11 64 Home permanently in dock due to "sorry spares no longer made".
2) Dell Inspiron with Win 11 64 Home (substantial discount with Pro version available only at full price)

Reply | Quote

I’ve been using the password checker since this thread was started, and it just caught one, today, for the first time.  Fortunately, it was a rather trivial site.  At least I know it’s working.

Reply | Quote