パスワード監査ツールの使い方 - 漏洩チェックから強度診断まで

About 15 min read

Have your passwords been exposed in past data breaches? Are the passwords you currently use strong enough? Password audit tools answer these questions. They evaluate account security from multiple angles - checking against breach databases, automatically diagnosing password strength, and detecting reused passwords. This article provides practical guidance on free breach-checking services like Have I Been Pwned, built-in browser audit features, and password manager audit reports, helping you build a habit of regular security checks.

Checking for Breaches with Have I Been Pwned

How the Service Works and Its Safety

Have I Been Pwned (HIBP) is a free breach-checking service operated by security researcher Troy Hunt. Simply entering an email address instantly reveals whether it has appeared in past data breaches. As of 2024, over 14 billion compromised account records are registered in the database, making it the world's largest and most trusted breach information database.

HIBP's password check feature uses a k-Anonymity model. Only the first 5 characters of the password's SHA-1 hash are sent to the server, which returns all matching hash prefixes. The client then checks for an exact match locally, meaning the password itself never travels over the network. This design ensures that the checking process itself creates no new security risks.

How to Use It

First, visit haveibeenpwned.com and enter your email address in the main search box. A green result means no breaches were found. A red result shows details of which services were breached and when. Change your password immediately on any breached services. The "Passwords" tab lets you directly check whether a password you're using appears in past breach data. If a breach count is displayed, that password exists in attacker dictionaries and must be changed immediately.

Built-in Browser Password Audit Features

Chrome Password Checkup

Google Chrome includes a built-in "Password Checkup" feature. Navigate to chrome://settings/passwords and click "Check passwords" to run a bulk diagnosis of all saved passwords. Results are categorized into three groups: "Compromised passwords" that appeared in past data breaches, "Weak passwords" that are short and easily guessable, and "Reused passwords" where the same password is used across multiple sites.

Chrome's Password Checkup works best when synced with a Google account. With sync enabled, passwords saved on mobile devices are also included in the bulk check. However, Chrome's password storage itself lacks master password protection, meaning all passwords become viewable if the device lock screen is bypassed. For important accounts, consider using a dedicated password manager.

Safari and Firefox Audit Features

In Apple's Safari, you can check "Security Recommendations" from Settings > Passwords. Compromised, reused, and weak passwords are listed, with direct links to password change pages for each. Since it integrates with iCloud Keychain, all passwords synced across iPhone, iPad, and Mac are covered. Firefox similarly provides breach checking for saved passwords on the "about:logins" page, and integration with Firefox Monitor enables breach notifications.

Password Manager Audit Reports

Comparing Audit Features Across Major Services

1Password's "Watchtower," Bitwarden's "Vault Health Reports," and Dashlane's "Password Health" - all major password managers include audit report features. These automatically perform breach checks, strength assessments, duplicate detection, and two-factor authentication gap detection across all stored passwords. The key difference from browser audit features is that password managers centrally manage credentials across all devices and browsers. When passwords are stored separately in Chrome and Safari, a password manager audit is the most efficient way to see the complete picture.

Audit report results are often quantified as a "security score" out of 100, giving you a clear picture of your current state. If your score is low, prioritize changing compromised passwords first, then eliminate reused passwords, and finally strengthen weak ones. Using password generation tools like Passtsuku.com lets you efficiently create unique, strong passwords for each service.

Reading Audit Reports and Taking Action

A password marked as "compromised" in an audit report means it exists in lists used by attackers for credential stuffing attacks. Continuing to use it creates an extremely high risk of unauthorized access to other services. Passwords judged as "weak" - those under 8 characters, numbers only, or dictionary words - can be cracked quickly through brute force or dictionary attacks. In either case, changing to a random string of 16+ characters and enabling two-factor authentication significantly improves security.

Building a Habit of Regular Security Checks

Check Frequency and Schedule

Password auditing is not a one-time activity - it delivers results through regular repetition. The recommended frequency is a monthly quick check (reviewing your password manager score) and a detailed check every 3 months (verifying all email addresses on HIBP + running browser audits). When major data breaches make the news, perform an ad-hoc HIBP check. Setting calendar reminders makes it easier to build this into a habit.

When issues are found during checks, act quickly. Change passwords on confirmed breached accounts within 24 hours and enable multi-factor authentication where possible. When changing passwords, consistently use Passtsuku.com to generate sufficiently long random passwords and save them in your password manager. Changing to a manually memorable password will likely be flagged as "weak" in the next audit.

Using Notification Services

HIBP lets you register email addresses to receive automatic notifications when new breaches are confirmed. Enabling "Security notifications" on your Google account also sends alerts for suspicious login attempts or breach detections. 1Password's Watchtower updates its dashboard whenever new breach information is added to the database, so simply opening the app regularly keeps you informed. Combining these notification services covers both active checking and passive monitoring, maximizing your response speed to breaches.

For a deeper understanding of password security tools, security key guides (Amazon) provide comprehensive coverage of hardware-based authentication.