Pwned Passwords are 555,278,657 real world passwords previously exposed in data breaches. This exposure makes them unsuitable for ongoing use as they’re at much greater risk of being used to take over other accounts. They’re searchable online below as well as being downloadable for use in other online systems. Read more about how HIBP protects the privacy of searched passwords.
Password reuse and credential stuffing
Password reuse is normal. It’s extremely risky, but it’s so common because it’s easy and people aren’t aware of the potential impact. Attacks such as credential stuffing take advantage of reused credentials by automating login attempts against systems using known emails and password pairs.
NIST’s guidance: check passwords against those obtained from previous data breaches
The Pwned Passwords service was created in August 2017 after NIST released guidance specifically recommending that user-provided passwords be checked against existing data breaches. The rationale for this advice and suggestions for how applications may leverage this data is described in detail in the blog post titled Introducing 306 Million Freely Downloadable Pwned Passwords. In February 2018, version 2 of the service was released with more than half a billion passwords, each now also with a count of how many times they’d been seen exposed. A version 3 release in July 2018 contributed a further 16M passwords, version 4 came in January 2019 along with the “Collection #1” data breach to bring the total to over 551M. Finally, version 5 landed in July 2019 with another 30M passwords and a total count of almost 555M records.
A full-service web hosting, design and marketing company, DigitalWires specializes in helping small and medium-sized businesses develop internet strategies to enhance their current marketing efforts.
Whether you have an existing web presence, or are considering your options for the first time, DigitalWires can provide the tools and expertise you need to develop an effective, professional web strategy.