X

Okta's Chrome plug-in tells you when hackers have your password

And yes, it does have a system to avoid leaking your password itself.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
See full bio
Laura Hautala
4 min read
James Martin/CNET

You may have heard "starwars" is a bad password. But even if you're avoiding that hacking trap, you might not realize that passwords that seem harder to guess could be dangerous too.

Here's the reason why: any time a password is captured by hackers in a data breach, it's likely to get posted on cybercrime forums online. That's what appeared to happen in 2016, when someone claimed to have 272 million passwords to trade for likes on social media. It turned out the login credentials weren't likely from a new data breach, but instead were put together from past data breaches. 

Still, the episode showed how easily hacked passwords travel around the internet. Hackers will take it and use it as a guess when trying to break into other online accounts. So even if your password is harpoonfranticbumble (in other words, long and random) you shouldn't use it if it's been caught up in a data breach.

PassProtect warns you when your password is no longer safe to use.

 Okta

You might wonder how you can possibly know which passwords in the entire realm of possibility have been hacked. Login management company Okta is trying to solve that problem with a browser plug-in. Called PassProtect, the plug-in will tell you just how many times the password you're using has been exposed in a data breach.

Okta, which normally sells its security-oriented tools to businesses, came up with the idea for PassProtect when asking itself, "What are some ways that we as a company can release tools that will dramatically improve a casual web user's security?" said Randall Degges, Okta's head of developer advocacy.

What the plug-in tells you

It works like this: You go to the login page for your favorite website. You enter your password, which we'll say is "BuffySummers," and hit enter. Then you see a window pop up to warn you: "The password you just entered has been found in 26 data breaches. This password is not safe to use." (Bad news: "slayer," "Sunnyvale," and "JossWhedon" have all been hacked in previous breaches, too.)

Once you dismiss the message, it's up to you whether to change your password. You won't see the warning again the next time you log into your account from the same browser. 

Other services can do this for you as well. The plug-in draws from the "Have I Been Pwned" database, which tracks hacked passwords, so you can also go directly to that service's website to test out your passwords. And in addition to Okta, the site also partners with password manager 1Password. As of Tuesday, 1Password users on PCs and Macs will get a warning if their password has been swept up in a data breach.

Is this safe?

You might also wonder whether it's safe to use a browser plug-in that accesses and analyzes your passwords. Degges said Okta has built PassProtect to safeguard your password, analyzing it on your computer and never sending a copy of it away from your browser.

It does this with much the same technology that the website you're logging into uses to process your password. First, PassProtect runs what's called a hashing algorithm on your password. That turns "BuffySummers" into a random string of characters that's very hard to turn back into your password. 

Then PassProtect sends the first five characters of that string to the Have I Been Pwned database. The data set includes half a billion "pwned" passwords, which have turned up in online data dumps after data breaches.

The database sends back a set of hashed passwords that also start with those first five characters. Then PassProtect searches within that smaller set of passwords for yours. 

PassProtect works only on Chrome browsers for the time being, but Degges said Okta hopes to push out a version for Firefox as well as a mobile app in the future. For the time being, Okta is also releasing a tool for website developers that will install PassProtect directly to a website. That means if a Buffy fan fiction website installs the PassProtect developer tool, it'll warn you not to use "BuffySummers" as your password even if you aren't using the browser plug-in.

No usernames, yet

The tool doesn't analyze your username, though that's another feature the Okta team would like to add.

There's an argument to be made that if a less common password -- harpoonfranticbumble comes to mind -- that someone else is using gets swept up in one data breach, it's not that big of a deal for you to use it. You might think that's especially true if you're using a unique username that's hard to guess. 

But Degges said it's much easier for hackers to guess usernames. That's because the software that processes login credentials doesn't treat your username as secret information, often sending it around in clear text in ways that hackers can easily intercept. Plus, you're just a lot more likely to reuse a username.

First published May 23, 6 a.m. PT
Update, 12:31 a.m.: Adds information about other ways to check if your password is part of a data breach.

Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.

Blockchain Decoded: CNET looks at the tech powering bitcoin -- and soon, too, a myriad services that will change your life.