Pwned Passwords

Pwned Passwords are hundreds of millions of real world passwords exposed in data breaches. This exposure makes them unsuitable for ongoing use as they're at much greater risk of being used to take over other accounts. They're searchable online below as well as being downloadable for use in other online system. Do not send any password you actively use to a third-party service - even this one!

Good news — no pwnage found!

This password wasn't found in any of the Pwned Passwords loaded into Have I been pwned. That doesn't necessarily mean it's a good password, merely that it's not indexed on this site.

Notify me when I get pwned Donate

Oh no — pwned!

This password has previously appeared in a data breach and should never be used. If you've ever used it anywhere before, change it immediately!

Notify me when I get pwned Donate

Password reuse and credential stuffing

Password reuse is normal. It's extremely risky, but it's so common because it's easy and people aren't aware of the potential impact. Attacks such as credential stuffing take advantage of reused credentials by automating login attempts against systems using known emails and password pairs.


NIST's guidance: check passwords against those obtained from previous data breaches

The Pwned Passwords service was created after NIST released guidance specifically recommending that user-provided passwords be checked against existing data breaches . The rationale for this advice and suggestions for how applications may leverage this data is described in detail in the blog post titled Introducing 306 Million Freely Downloadable Pwned Passwords.


Downloading the Pwned Passwords list

The entire set of passwords is downloadable for free below with each password being represented as a SHA1 hash to protect the original value (some passwords contain personally identifiable information). The list may be integrated into other systems and used to verify whether a password has previously appeared in a data breach after which a system may warn the user or even block the password outright. For suggestions on integration practices, read the Pwned Passwords launch blog post for more information.

  File Date Size Description SHA1 hash of 7-Zip file
download torrent Version 1 3 Aug 2017 5.3GB The original 306m hashes provided at the release of the service 90d57d16a2dfe00de6cc58d0fa7882229ace4a53
download torrent Update 1 4 Aug 2017 250MB Additional 14m hashes with varying cases not originally included in the initial processing 00fc585efad08a4b6323f8e4196aae9207f8b09f
download Update 2 5 Aug 2017 7.6MB Additional 400k hashes as passwords over 40 chars were truncated in earlier processing 20318090278bbd196945025bc7bf93e99f261f9a

Help support HIBP by donating

Thank you for downloading the Pwned Passwords! While the file is downloading, if you'd like to help support the project there's a donate page that explains more about what goes into making all this possible. Your support in helping this initiative continue is most appreciated!

go to the donate page

The bandwidth costs of distributing this content from a hosted service is significant when downloaded extensively. Cloudflare kindly offered to support this initiative by aggressively caching the file at their edge nodes over and beyond what would normally be available. Their support in making this data available to help organisations protect their customers is most appreciated.

Cloudflare logo