If you or one of your employees happens to be trying to think of a new email or web platform password, it might be worth your time to make sure it isn’t one of the hundreds of millions of passwords that have already been exposed in data breaches.
“Have I been pwned?”, the free data breach information service run by Australian Microsoft regional director Troy Hunt, can help: As of Thursday, the site now features a “pwned passwords” section that invites users to enter a password they’re considering and instantly compares it to hundreds of millions of real world passwords – 306,259,512, to be exact – that have been exposed in data breaches.
The key word in the above paragraph is “considering”: In an August 3 blog post, Hunt emphasizes that you should never, ever use the site to check a password you’re actively using, noting that he’s long believed it would be a bad idea to build a password-checking service because users are likely to use it to test their current passwords.
“It goes without saying (although I say it anyway on that page), but don’t enter a password you currently use into any third-party service like this!” he writes. “The point of the web-based service is so that people who have been guilty of using sloppy passwords have a means of independent verification that it’s… one they should no longer be using.”
Just because a password isn’t pwned doesn’t mean it’s a good one either, he cautions, in both the blog and on the site. Typing in “Password1”, for example, produced the following:
(Though it turned out that “password1”, with a lower-case “p”, had, in fact, been compromised.)
Hunt also notes that absence of evidence is not evidence of absence: “in other words, just because a password doesn’t return a hit doesn’t mean it hasn’t been previously exposed,” he writes.
In case you’re wondering why users should avoid testing their current password on the service, though no information entered is actively stored it could still potentially be “burned” using other means, Hunt writes.
More importantly, the entire library – all 6 GB of it – can be downloaded from the passwords page and used to check passwords offline.
Hunt aggregated the list of passwords from a variety of different sources, including a pair of combo lists that he wrote about in a May blog post, which also described some of the specialized software hackers often use to steal passwords in the first place.
HaveIBeenPwned’s core service invites users to enter their email addresses to see if any associated accounts have been exposed by comparing them to data breach information stored on Microsoft Azure servers, though the downloadable passwords file is being stored on Cloudflare.