Iamadork, ilovecats, xhackerx, emoforever, and cyberwarrior. All arguably embarrassing passwords and coincidentally all previously associated with accounts involved in data breaches. They are not safe passwords; you should not use them.
Security researcher Troy Hunt, the man behind data breach tracking blog Have I Been Pwned, has launched a tool for searching through 320 million compromised passwords that have previously been involved in some of this decade’s biggest data dumps (think: LinkedIn, MySpace, and Adobe). He’s also made the hashed passwords available for download as a single 5.3GB file. Essentially, it’s a database of passwords that you should definitely not be using anywhere.
Want to know if you’ve been hacked? Troy Hunt has all the details
I reached back through the caverns of my brain and pulled up some very early passwords I used when I was a teenager. Yep, one of those is not safe either, most likely linked to one of a myriad of dusty Hotmail accounts I haven’t used for more than ten years. It was a dumb password.
Hunt says he created the ‘Pwned Passwords’ tool after realising that he was in a unique position to help people not to use passwords already involved in data breaches.
“My hope is that an easily accessible online service like this also partially addresses the age-old request I’ve had to provide email address and password pairs,” says Hunt in a blog post. “If the password alone comes back with a hit on this service, that’s a very good reason to no longer use it regardless of whose account it originally appeared against”.
Recently, the US National Institute of Science and Technology published guidance saying passwords in data breaches should be crossed checked.
Hunt advises against testing your current passwords on the service, however. “Don’t enter a password you currently use into any third-party service like this!” he advises. “I don’t explicitly log them and I’m a trustworthy guy but yeah, don’t.”
How to choose a strong password in 4 simple steps
The publication of the above passwords doesn’t put those individuals potentially still using these passwords at a disadvantage, however. Just like Have I Been Pwned’s email database service that doesn’t alert the user to an associated password, the new tool doesn’t associate email addresses or usernames with the passwords.
“As well people checking passwords they themselves may have used, I’m envisaging more tech-savvy people using this service to demonstrate a point to friends, relatives and co-workers: ‘you see, this password has been breached before, don’t use it!'” says Hunt. “If this one thing I’ve learned over the years of running this service, it’s that nothing hits home like seeing your own data pwned.”
After you’ve checked your passwords improve the ones you use with our guide to creating strong passwords.