Introducing 306 Million Freely Downloadable Pwned Passwords

Megalith

24-bit/48kHz
Staff member
Joined
Aug 20, 2006
Messages
13,003
Microsoft Regional Director and MVP Troy Hunt has introduced a website that allows you to check whether your passwords have ever been compromised. A 5.3 GB 7-Zip file of the passwords represented as a SHA1 hash is also available for download.

...don't enter a password you currently use into any third-party service like this! I don't explicitly log them, and I'm a trustworthy guy, but yeah, don't. The point of the web-based service is so that people who have been guilty of using sloppy passwords have a means of independent verification that it's not one they should no longer be using. Mind you, someone could actually have an exceptionally good password, but if the website stored it in plain text then leaked it, that password has still been "burned."
 
Last edited:

TheBuzzer

HACK THE WORLD!
Joined
Aug 15, 2005
Messages
12,871
i bet they store passwords people are typing to check and than being able to try using those passwords.
 

kju1

2[H]4U
Joined
Mar 27, 2002
Messages
3,460
I bet a good 50% of them are variations on the word password...
 

SomeoneElse

[H]ard|Gawd
Joined
Jan 16, 2007
Messages
1,940
I've used this site for a few years now. This guy is pretty good, I watched a few of his ethical hacking videos on plurasite. His site doesn't show you anything as far as data is concerned it just lets you know if you were "pwned" and by what data breach type and from what company where your username and pass were stolen from.
 

CaptNumbNutz

Fully [H]
Joined
Apr 11, 2007
Messages
22,747
Beautiful. He even includes a download. I will merge those with my current 50GB Dictionary file. There might be a couple hundred thousand to add to the list that I don't already have.
 

Spidey329

[H]F Junkie
Joined
Dec 15, 2003
Messages
8,683
Yeah, even if he is trustworthy, I'm not going to enter my PW.

Password leaks are why I use a yearly changing algorithm to develop my passwords. The cypher is easy to memorize but hard to figure out unless you're in my brain. Allows me to have 128+bit 256charset (that's character set, not length) passwords that I can remember.
 

scojer

Supreme [H]ardness
Joined
Jun 13, 2009
Messages
7,946
Oh man, my default password for everything has been pwned :(

Guess I'll need to change it from !QAZ@WSX#EDC$RFV to something else.
 

B00nie

[H]F Junkie
Joined
Nov 1, 2012
Messages
9,289
What pisses me off is that many sites do not allow using scandinavian special characters in the passwords - those are always a good addition since most attackers do not use them.

I mean, what's the point of setting up a password and then not allowing to use characters that would you know, make it safe lol.
 

carnageX

Gawd
Joined
May 25, 2009
Messages
513
Definition of naive: A person who enters his password to a site that promises to check if the persons password has been exposed.

Yeah, even if he is trustworthy, I'm not going to enter my PW.

Password leaks are why I use a yearly changing algorithm to develop my passwords. The cypher is easy to memorize but hard to figure out unless you're in my brain. Allows me to have 128+bit 256charset (that's character set, not length) passwords that I can remember.

Troy Hunt even says not to use it for checking your current passwords. More for showing people "do you really want to use that password you planned on using?" to show them how weak passwords have already been breached.

He didn't even want to make this website really, but ended up doing it anyway.
 
Joined
Mar 16, 2006
Messages
4,009
password_strength.png
 

serpretetsky

[H]ard|Gawd
Joined
Dec 24, 2008
Messages
1,921
Any real way to implement this? I mean shit, the standard is simple enough to define '4 words' '5 words' a 'single sentence, no spaces' whatever
Get a list of 2000 common english words that aren't too short, get a random number generator, randomly select 5 words.
 

Master_shake_

Fully [H]
Joined
Apr 9, 2012
Messages
17,795
they'll never guess my password.

it's the price of a cheese pizza and large soda at Panucci's Pizza.
 

M76

[H]F Junkie
Joined
Jun 12, 2012
Messages
12,383
- Is my password compromised?
- Now it is.
 

M76

[H]F Junkie
Joined
Jun 12, 2012
Messages
12,383

I've been trying to adopt this method for years, I always forget the password. Or passphrase in this case. As it turns out remembering random unconnected common words is not as easy as it's made out to be. I always end up having to reset my password on sites where I tried this.

It's easier for me to remember a collection of random letters and numbers. As long as it's no longer than 8-10 chars.

Most important places don't allow more than a few tries a minute anyway.
 
Top