Pwned Passwords

Almost 2 years ago to the day, I wrote about Passwords Evolved: Authentication Guidance for the Modern Era [https://www.troyhunt.com/passwords-evolved-authentication-guidance-for-the-modern-era/]. This wasn't so much an original work on my behalf as it was a consolidation of advice from the likes of NIST, the NCSC and Microsoft about how we should be doing authentication today. I love that piece because so much of it flies in the face of traditional thinking about passwords, for example: 1. Do...

Many people will land on this page after learning that their email address has appeared in a data breach I've called "Collection #1". Most of them won't have a tech background or be familiar with the concept of credential stuffing so I'm going to write this post for the masses and link out to more detailed material for those who want to go deeper. Let's start with the raw numbers because that's the headline, then I'll drill down into where it's from and what it's composed of. Collection #1 is a...

As time has gone by, one of the things I've enjoyed the most in running Have I Been Pwned [https://haveibeenpwned.com/] (HIBP) is seeing how far I could make the dollars stretch. How big can it go whilst at the same time, running it on a shoestring? I keep finding new ways of optimising cost and the two most significant contributions to that since launching almost 5 years ago have come via serverless technology provided by 2 of my favourite tech companies: Cloudflare and Microsoft. By way of (v...

I'm still pretty amazed at how much traction Pwned Passwords [https://haveibeenpwned.com/Passwords] has gotten this year. A few months ago, I wrote about Pwned Passwords in Practice [https://www.troyhunt.com/pwned-passwords-in-practice-real-world-examples-of-blocking-the-worst-passwords/] which demonstrates a whole heap of great use cases where they've been used in registration, password reset and login flows. Since that time, another big name has come on board too [https://blog.github.com/2018...

Over recent weeks, I've begun planning the release of the 3rd version of Pwned Passwords. If you cast your mind back, version 1 came along in August last year [https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/] and contained 320M passwords. I made all the data downloadable as SHA-1 hashes (for reasons explained in that post) and stood up a basic API to enable anyone to query it by plain text password or hash. Then in Feb, version 2 landed [https://www.troyhunt...

Back in August, I pushed out a service as part of Have I Been Pwned [https://haveibeenpwned.com/] (HIBP) to help organisations block bad passwords from their online things. I called it "Pwned Passwords" and released 320M of them from real-world data breaches [https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/] via both a downloadable file and an online service. This was in response to NIST's Digital Identity Guidelines [https://www.nist.gov/itl/tig/special-publ...

A couple of months ago, I launched version 2 of Pwned Passwords [https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/]. This is a collection of over half a billion passwords which have previously appeared in data breaches and the intention is that they're used as a black list; these are the "secrets" that NIST referred to in their recent guidance [https://pages.nist.gov/800-63-3/sp800-63b.html]: > When processing requests to establish and change memorized secrets, verifiers SHA...

When I launched Pwned Passwords in August [https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/], I honestly didn't know how much it would be used. I made 320M SHA-1 password hashes downloadable and also stood up an API to query the data "as a service" by either a plain text password or a SHA-1 hash. (Incidentally, for anyone about to lose their mind over SHA-1, read that launch post as to why that hashing algorithm is used.) But the service did become quite popu...

In the immortal words of Ricky Bobby, I wanna go fast [https://www.youtube.com/watch?v=_qJGsSuFRIg]. When I launched Pwned Passwords V2 last week [https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/], I made it fast - real fast - and I want to talk briefly here about why that was important, how I did it and then how I've since shaved another 56% off the load time for requests that hit the origin. And a bunch of other cool perf stuff while I'm here. Why Speed Matters for Pwned...

Last August, I launched a little feature within Have I Been Pwned [https://haveibeenpwned.com/] (HIBP) I called Pwned Passwords [https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/]. This was a list of 320 million passwords from a range of different data breaches which organisations could use to better protect their own systems. How? NIST explains [https://pages.nist.gov/800-63-3/sp800-63b.html]: > When processing requests to establish and change memorized secr...