Published database with 320 million unique passwords (5.5 GB) / SurprizingFacts

Checking accounts for survivability

One of the main rules when choosing a password – do not use Password, which was already lit up in some kind of hacking and got into one of the bases available to attackers. Even if your password is 100500 characters, but it is there – it's bad. For example, because in the program for password brute force, you can download this database as a dictionary list. What do you think, what percentage of hashes will it crack, just by checking the entire dictionary list? Probably about 75% (see below for real statistics).

So, how do we know which passwords are there for attackers? Thanks to security specialist Troy Hunt you can check these bases. Moreover, they can be downloaded to your computer and used for your own needs. These are two text files in the archives: from 306 million passwords (5.3 GB) and from 14 million passwords (250 MB).

The bases are on this page.

All passwords in the database are represented as hashes SHA1. Before hashing, all characters are in uppercase (uppercase). Troy Hunt says that he applied the HASHBYTES function, which translates characters to uppercase. So making your hash, you need to implement a similar procedure if you want to find a match (note: the comments say they find password hashes in different registers).

Direct links:

https : //downloads.pwnedpasswords.com/passwords/pwned-passwords-1.0.txt.7z
(306 million passwords, 5.3 GB), the mirror
SHA1 hash of the 7-Zip file: 90d57d16a2dfe00de6cc58d0fa7882229ace4a53
SHA1 hash of the text file: d3f3ba6d05b9b451c2b59fd857d94ea421001b16

The uncompressed text file takes up 11.9 GB.

https://downloads.pwnedpasswords.com/passwords/pwned-passwords-systems-systems-html Update-1.txt.7z
(14 million passwords, 250 MB), mirror
SHA1 hash of the 7-Zip file: 00fc585efad08a4b6323f8e4196aae9207f8b09f

If you are stupid fearless, then on the same page you can enter your unique password and check it for availability in databases without downloading them. Troy Hunt promises that he will not use your password in any way and his service is absolutely reliable. "Do not send your actively used password to any service – not even this one!", Warns on the page. The software interfaces of this service are fully documented, they accept SHA1 hashes in approximately the following way:

  GET https://haveibeenpwned.com/api/v2/pwnedpassword/ce0b2b771f7d468c0141918daea704e0e5ad45db?originalPasswordIsAHash=true

But still it's safer to check your password offline. Therefore, Troy Hunt laid out the base in open access on a cheap hosting. He refused to sit the torrent, because it "will make people's access to information difficult" – many organizations block torrents, and for him little money for hosting does not mean anything.

Hunt tells where he got these bases. He says there were a lot of sources. For example, the Exploit.in database contains 805 499 391 email addresses with passwords. Hunt's task was to extract unique passwords, so he immediately began the coincidence analysis. It turned out that there are only 593 427 119 unique addresses in the database and only 197 602 390 unique passwords. This is a typical result: the absolute majority of passwords (in this case, 75%) are not unique and are used by many people. Actually, that's why it is recommended to compare it with the master password after generating its master password.

The second largest source of information was Anti Public: 562 077 488 lines, 457 962 538 unique postal addresses and 96 684 629 unique passwords , Which were not in the database Exploit.in.

Other sources Troy Hunt does not mention, but in the end he got 306 259 512 unique passwords. The next day he added another 13,675,934, again from an unknown source – these passwords are distributed by a separate file.

So now the total number of passwords is 319,935,446 pieces. These are truly unique passwords that have been deduplicated. Of the several versions of the password (P @ 55w0rd and p @ 55w0rd), only one (p @ 55w0rd) is added to the database. As already mentioned, all lowercase characters are replaced with capital letters before hashing, so both of these versions of the password will produce the same hash.

After Troy Hunt asked on Twitter what cheap hosting could be advised to him, Organization Cloudflare and offered to want files for free. Troy agreed. So boldly download files from the hosting, it's free for the author.