Password reuse and credential stuffing
Password reuse is normal. It's extremely risky, but it's so common because it's easy and
people aren't aware of the potential impact. Attacks such as credential stuffing
take advantage of reused credentials by automating login attempts against systems using known
emails and password pairs.
NIST's guidance: check passwords against those obtained from previous data breaches
The Pwned Passwords service was created in August 2017 after
NIST released guidance specifically recommending that user-provided passwords be checked
against existing data breaches . The rationale for this advice and suggestions for how
applications may leverage this data is described in detail in the blog post titled
Introducing 306 Million Freely Downloadable Pwned Passwords.
In February 2018, version 2 of the service was released
with more than half a billion passwords, each now also with a count of how many times they'd
been seen exposed. A version 3 release in July 2018
contributed a further 15.6M passwords to bring the total to 517M.
Downloading the Pwned Passwords list
The entire set of passwords is downloadable for free below with each password being
represented as a SHA-1 hash to protect the original value (some passwords contain personally
identifiable information) followed by a count of how many times that password had been seen
in the source data breaches. The list may be integrated into other systems and used to verify
whether a password has previously appeared in a data breach after which a system may warn the
user or even block the password outright. For suggestions on integration practices,
read the Pwned Passwords launch blog post
for more information.
Please download the data via the torrent link if possible! If you can't
access torrents (for example, they're blocked by a corporate firewall), use the "Cloudflare"
link and they'll kindly cover the bandwidth cost.
(ordered by prevalence)
|Version 3 with 517M hashes and counts of password usage ordered by most to least prevalent
(ordered by hash)
|Version 3 with 517M hashes and counts of password usage ordered by the hash
Help support HIBP by donating
Thank you for downloading the Pwned Passwords! While the file is downloading, if you'd like
to help support the project there's a donate page that explains more
about what goes into making all this possible. Your support in helping this initiative
continue is most appreciated!
go to the donate page
The bandwidth costs of distributing this content from a hosted service is significant when
downloaded extensively. Cloudflare kindly offered
to support this initiative by aggressively caching the file at their edge nodes over and
beyond what would normally be available. Their support in making this data available to help
organisations protect their customers is most appreciated.