Pwned Passwords

Pwned Passwords are hundreds of millions of real world passwords previously exposed in data breaches. This exposure makes them unsuitable for ongoing use as they're at much greater risk of being used to take over other accounts. They're searchable online below as well as being downloadable for use in other online systems. Read more about how HIBP protects the privacy of searched passwords.

Using Have I Been Pwned is subject to the terms of use

Good news — no pwnage found!

This password wasn't found in any of the Pwned Passwords loaded into Have I Been Pwned. That doesn't necessarily mean it's a good password, merely that it's not indexed on this site. If you're not already using a password manager, go and download 1Password and change all your passwords to be strong and unique.

Password reuse and credential stuffing

Password reuse is normal. It's extremely risky, but it's so common because it's easy and people aren't aware of the potential impact. Attacks such as credential stuffing take advantage of reused credentials by automating login attempts against systems using known emails and password pairs.

NIST's guidance: check passwords against those obtained from previous data breaches

The Pwned Passwords service was created in August 2017 after NIST released guidance specifically recommending that user-provided passwords be checked against existing data breaches. The rationale for this advice and suggestions for how applications may leverage this data is described in detail in the blog post titled Introducing 306 Million Freely Downloadable Pwned Passwords. In February 2018, version 2 of the service was released with more than half a billion passwords, each now also with a count of how many times they'd been seen exposed. A version 3 release in July 2018 contributed a further 16M passwords, version 4 came in January 2019 along with the "Collection #1" data breach to bring the total to over 551M. Version 5 landed in July 2019 with a total count of 555M records, version 6 arrived June 2020 with almost 573M then version 7 arrived November 2020 bringing the total passwords to over 613M. The final monolithic release was version 8 in December 2021 which marked the beginning of the ingestion pipeline utilised by law enforcement agencies such as the FBI.

Downloading the Pwned Passwords list

As of May 2022, the best way to get the most up to date passwords is to use the Pwned Passwords downloader. The downloaded password hashes may be integrated into other systems and used to verify whether a password has previously appeared in a data breach after which a system may warn the user or even block the password outright. For suggestions on integration practices, read the Pwned Passwords launch blog post for more information.

Cloudflare's support

The costs of providing this service for free would be extensive were it not for Cloudflare's support. They provide the resources to ensure more than 99% of all queries are served directly from their infrastructure by aggressively caching the data at their edge nodes over and beyond what would normally be freely available. Their support in making this data available to help organisations protect their customers is most appreciated.

Cloudflare logo