Passwords suck. They’re hard to remember, we all have about a million of them, and they’re not supposed to be anything easy or memorable like your cat’s name.
Worst of all, when massive data breaches happen to the companies we actually trust with our online credentials, our usernames and passwords can become totally exposed– but luckily, there’s now a simple way to find out if you’ve been compromised like this.
Troy Hunt is an Australian security researcher and the man behind Have I Been Pwned(HIBP), a website that lets people check if their email addresses and usernames have been involved in some of the biggest data breaches ever – involving companies like Myspace, LinkedIn, Adobe, Dropbox (and sadly hundreds more).
Now, Hunt has approached the same problem from the opposite perspective, building a new tool called Pwned Passwords that does the same kind of thing, but this time it lets you enter just your passwords to see if they’ve been leaked in any of the aforementioned hacks.
There’s a staggering 320 million leaked passwords stored in this database, and if you’re wondering whether it’s maybe irresponsible to collect them all in one place like this, there are a couple of things to bear in mind.
One, none of the passwords here are stored alongside the email addresses or usernames that they pair with, so if any people are still using these long-exposed passwords, their anonymised listing here shouldn’t make things any easier for hackers.
Two, Hunt’s whole point with Pwned Passwords is to draw attention to the issue of how just how many of our passwords have been outed by hackers up until now – by letting people check if one of their passwords is out there on the big bad internet.
Again, all of these passwords are already out in the wild – some have been for a long time – so hopefully most users have already changed them.
There are two ways of using Pwned Passwords: an online search tool on the website itself, and by downloading the whole list of 320 million leaked passwords, which are stored across three separate text files (note: you’re looking at more than 5GB in total, as the list is very long).
Before we go any further, a word of warning. You really shouldn’t type any active passwords you’re currently using in to the online search tool, because it goes against the whole principle of never sharing or distributing your passwords, even if it’s with a website set up by a professional security researcher.
As Hunt explains on his blog:
“It goes without saying (although I say it anyway on that page), but don’t enter a password you currently use into any third-party service like this! I don’t explicitly log them and I’m a trustworthy guy but yeah, don’t.
The point of the web-based service is so that people who have been guilty of using sloppy passwords have a means of independent verification that it’s not one they should be using any more.”
What this means is that if you want to see if any of your current passwords have been exposed, you really ought to download the whole list and search through it from the privacy and security of your own device.
It’s an extra step of hassle, sure, but it’s worth it, guys, and it’s still a pretty simple thing to do.
For extra security – and to protect anybody still using these leaked passwords – the passwords in the list files have been encrypted with SHA–1 hashes, so you’ll need to generate the hash of your password before you search for it in the list (instructions for generating SHA–1 hashes are easily found online).
Hopefully, whichever way you choose to use the service, you’ll find that none of your passwords have been leaked, but if they are, now’s as good a time as any to change them – and if you don’t already, you should really consider using a manager to store and generate your passwords.
One last thing, if searching the service doesn’t bring up any of your passwords, that’s good news for sure, but it doesn’t necessarily mean your password hasn’t been leaked at some point – just that it’s not included as part of this database.
“One quick caveat on the search feature: absence of evidence is not evidence of absence,” as Hunt explains, “or in other words, just because a password doesn’t return a hit doesn’t mean it hasn’t been previously exposed.”
Stay vigilant, folks!