Data breaches — such as those that affected Yahoo! and other major organizations — have dumped more than half a billion passwords into the digital ether over the years. This creates a situation where users who haven't changed their passwords leave their accounts vulnerable to anyone who buys their username and password off the black market.
PassProtect, a new Chrome extension, looks to educate users and let them know if they need to change their passwords. It's from the identity management and single-sign-on company Okta, and available for free now online. (in the interest of full disclosure, we at Tom's Guide use Okta.)
When I tried PassProtect for myself, I forgot that it was running, at least until this morning when I logged onto my work computer. As the Okta app auto-filled my password for one of our corporate services, PassProtect displayed an alert that my password had been found in two data dumps. So I changed it immediately, and PassProtect didn't warn me about my new password, so it's safe to use.
The service uses security consultant Troy Hunt's HaveIBeenPwned database, an invaluable resource, but one that requires users open a page and type their usernames and passwords in. Instead, this extension simply runs in the background, waiting for users to sign into a website using data that can be matched in Hunt's database.
Okta's also made a code snippet for website developers, so they can add this technology to their site, to proactively help stop users from using known login credentials.
If you're skeptical about letting a company monitor the usernames and passwords, first know that your instinct isn't wrong. PassProtect seems legitimate, though, for a number of reasons. First, it uses k-anonymization, a process that obscures and protects data, to scan your passwords without them getting seen, stored, or sent over your network.
Additionally, Okta is a publicly-traded company that's been around since 2009 and has built its reputation on secure identity and password management. Mishandling of public data trusted to it would ruin the company's credibility, and risk sending its stock — it's publicly traded as OKTA — into freefall.