Download 306,000,000 cracked passwords and make sure you're not using one of them

Originally published at:


What if that site becomes compromised and someone decides to track what passwords are being queried? :stuck_out_tongue:

1 Like

Exactly my thought. They examine your cookies and history, conclude where you’ve got accounts, and start trying what you dial in. Might be reasonably safe if you do it in incognito mode (or otherwise flush cookies and history beforehand), do it from a non-usual ip address (coffeeshop), and enter lots of garbage before and after the real mccoy.

1 Like

Surely the solution would be to produce the SHA1 hash of the actual password that is an SHA1 hash…?

Hey, if you tell me your login/password I can tell you with 100% certainty (guaranteed or thrice your money back) whether they’ve been compromised - no need to leave the BBS!


Just type in your password and I’ll tell you if your accounts have been compromised.



Don’t worry i’ve already checked everyone’s passwords on here. Everyone is fine.


Better download the 5GB file and scan for your password offline…

It just adds your password to the list and now it’s useless. Be sure to try out your new password too. :stuck_out_tongue_winking_eye:

Checking the very few passwords I use that weren’t generated by LastPass reassures me that my scheme is still secure.

I don’t understand what’s going on here. Cory and his screenshot and lengthy quote are all about passwords, but when you go to the site, it just asks for your handle or email address–but not the password. Then the site cross-references it against the database of known logins that correspond to accounts with hacked passwords and says yes or no.

Anyone stupid enough to give him their password deserves what they get, but I fail to see the harm in the way this website is set up.


sorry cory, i think you summarized this badly:

  • troy hunt didn’t make a list of plaintext passwords available, which was a good decision.
  • instead this is a 5.3 GB 7zip file of SHA1 hashes of all the passwords.
  • his motivation is to propagate “advising organisations to block subscribers from using passwords that have previously appeared in a data breach.” and he implemented a proof of concept api for this purpose.
  • this initiative is very good! but services have to implement this on their own, his api only handles one request every 1.5 seconds per ip.
  • if somebody wants to check if his own password is in the list, one can use his web interface. DO NOT INPUT YOUR PLAIN-TEXT PASSWORDS THERE!!!
  • calculate the SHA1 hash of the password you want to check, via offline utility or a trustworthy online javascript implementation. then input the SHA1 hash in the web interface, it’ll recognize it as a hash and compare it with the list.
  • cloud flare caches the 5.3GB file to support the initiative of helping organizations implement this password validation pratice.
  • donate nevertheless to support the initiative and troy hunt.

haveIbeenpwned is a service he’s been running for a few years, which tracks whether or not your email address has been used in any data breaches. it has a bunch of features, but it does not - and never has - stored passwords. Even if the entire site was compromised, your email+password combo isn’t getting exposed that way. That’s the site you’re on.

The new feature is at the top of the page, ‘pwned passwords’. I haven’t read the full write-up yet but Troy is a careful guy. I’m guessing there’s no plaintext passwords anywhere on the site, everything is hashed at the earliest opportunity, and there’ll be no link between a hash and the account(s) it was originally linked to.

There are security concerns with this type of thing for sure (this website hosted by a malicious actor would be pretty risky), but Troy has a proven track record here and I doubt he’d put it up if he thought there was any plausible security risk.

Disclosure: I’ve been using his breach notification for multiple domains and followed his blog for a few years now.


“Is your password in here?” Another password fishing scam.

This topic was automatically closed after 5 days. New replies are no longer allowed.