Looking for a password? Don't use any of these 306 million


Check PasswordsUse this searchable database of over 300 million exposed passwords to check if a password has been compromised.

The security researcher behind the popular website 'have i been pwned?' has created a searchable database of millions of passwords that were exposed in various data breaches. You can easily check if a password has been exposed in a previous breach with this useful tool.

The password tool is very easy to use, just plug in a password and and click the pwned? button and it will be checked against the 300+ million passwords in the database. Troy Hunt, the researcher behind the have 'i been pwned' site and the new password database tool, stresses that it's not a good idea to send any password you are currently using to any third party site, including the password site. Good suggestion, as well as not using the same password for more than one account such as email, websites, etc. You won't want to use the most common passwords to create a password, you can find a list of them in this article.

The website have i been pwned lets users check if their email address has been exposed in a breach. It also offers an added service where you can sign up to be notified when future pwnage occurs and if your email account is compromised.

Check if a password has been compromised

You can find more Tech Treats here.

Please rate this article: 

Your rating: None
Average: 4.1 (17 votes)


His name is Troy Hunt! (not Hunter!) Please consider editing your article to correct that.

He has a very white hat, and he's a master at building secure web applications. He's more trustworthy than almost anybody on the intertoobz. For just one piece of evidence of this, notice that https://haveibeenpwned.com/ has an extended validation certificate. It shows his name next to the lock on the location bar. It takes hard work and money to make that happen, especially for an individual.

You're right to be concerned about punching your password into a strange web site. Don't put your bank password in there.

It would be great if there were a Javascript module that would check peoples' proposed passwords against the 306 million, without sending them over the network first. But that would be an obscenely large module. Better to check against the ten thousand most common passwords.

Wikipedia gives you a way to do that without sending your password. https://en.wikipedia.org/wiki/Wikipedia:Most_common_passwords/10000

Yes you're right, his name is Troy Hunt, and I've known that for some time. The wonders of auto-correct never cease to amaze me. My mistake, it's been corrected, thank you for pointing it out. :)
I have tremendous amount of regard for him and his work.

Thanks for the Wikipedia link, looks like good resource. I like it that you can input your password into the browser  address bar and search for the password that way. Note to readers: the list contains some NSFW (not safe for work) words

Even though the site manager advises against sending a current password, it seems that sending a potential one could be just as harmful. What's to prevent it from being added to the list of passwords used to crack a site?

Good question. The site owner has compiled the passwords of publicly released data breaches into a searchable database. He doesn't add to them by using any passwords that are checked using the search box.  My understanding is that his concern is that someone will type in a password that they are actively using that could potentially be picked up by outside parties. Basically he's suggesting that anyone not expose important passwords (like banking and other important passwords) on any third party site. Stick to using important passwords at the sites they are meant for and that have (presumably) enhanced security. More details here: https://haveibeenpwned.com/FAQs

It is possible that a password you check at the site that hasn't been used could be picked up, as nothing is truly safe on the internet. I think you have to decide what's comfortable for you. An email password I checked wasnt in the database and I'm still using it. It's for an account that gets little use and has little personal information. The information I supplied is not my real personal information, so I decided the risk was low. I am pretty sure that passwords like 12356 and the word password are amply represented in theat of passwords in the data beaches as they are commonly used, year in and year out. The list is also downloadable and can be checked offline but it's not a straightforward searchable text file. The site has more information and presumes a level of knowledge that most of us don't have. It was done that way to protect personally identifiable information from being viewed.