Password reuse and credential stuffing
Password reuse is normal. It's extremely risky, but it's so common because it's easy and
people aren't aware of the potential impact. Attacks such as credential stuffing
take advantage of reused credentials by automating login attempts against systems using known
emails and password pairs.
NIST's guidance: check passwords against those obtained from previous data breaches
The Pwned Passwords service was created in August 2017 after
NIST released guidance specifically recommending that user-provided passwords be checked
against existing data breaches. The rationale for this advice and suggestions for how
applications may leverage this data is described in detail in the blog post titled
Introducing 306 Million Freely Downloadable Pwned Passwords.
In February 2018, version 2 of the service was released
with more than half a billion passwords, each now also with a count of how many times they'd
been seen exposed. A version 3 release in July 2018
contributed a further 16M passwords, version 4 came in January 2019
along with the "Collection #1" data breach to bring the total to over 551M.
Version 5 landed in July 2019
with a total count of 555M records, version 6 arrived June 2020
with almost 573M then version 7 arrived November 2020
bringing the total passwords to over 613M. The final monolithic release was version 8 in December 2021
which marked the beginning of the ingestion pipeline utilised by law enforcement agencies such as the FBI.
Downloading the Pwned Passwords list
The entire set of passwords is downloadable for free below with each password being
represented as either a SHA-1 or an NTLM hash to protect the original value (some passwords
contain personally identifiable information) followed by a count of how many times that
password had been seen in the source data breaches. The list may be integrated into other
systems and used to verify whether a password has previously appeared in a data breach after
which a system may warn the user or even block the password outright. For suggestions on
integration practices, read the Pwned Passwords launch blog post
for more information. At present, the downloadable files are not updated with new
entries from the ingestion pipeline, use the k-anonymity API if you'd like access to these.
Please download the data via the torrent link if possible! If you can't
access torrents (for example, they're blocked by a corporate firewall), use the "Cloudflare"
link and they'll kindly cover the bandwidth cost.
Help support HIBP by donating
Thank you for downloading the Pwned Passwords! While the file is downloading, if you'd like
to help support the project there's a donate page that explains more
about what goes into making all this possible. Your support in helping this initiative
continue is most appreciated!
go to the donate page
The bandwidth costs of distributing this content from a hosted service is significant when
downloaded extensively. Cloudflare kindly offered
to support this initiative by aggressively caching the file at their edge nodes over and
beyond what would normally be available. Their support in making this data available to help
organisations protect their customers is most appreciated.