Download 306,000,000 cracked passwords and make sure you're not using one of them

Troy Hunt, proprietor of the Have I Been Pwned? service, has made 306,000,000 known-cracked passwords available as a download — you can grab the set and make sure that yours isn't among them, as these cracked passwords are the ones that are likely being used by hackers when they do brute-force attacks against encrypted password files.


If you're willing to trust Hunt, you can spare yourself the 5.3GB download and just query his search-engine with your passwords (trusting that he's not recording these and using them to attack you!).


To give people more options, they can also search for a SHA1 hash of the password. Taking the password "p@55w0rd" example from earlier on, a search for "ce0b2b771f7d468c0141918daea704e0e5ad45db" (the hash itself is not case sensitive so "CE0B…" is fine too) yields the same result:

The service auto-detects SHA1 hashes in the web UI so if your actual password was a SHA1 hash, that's not going to work for you. This is where you need the API which is per the existing APIs on the service, is fully documented. Using this you can perform a search as follows:

And as for that "but the actual password I want to search for is a SHA1 hash" scenario, you can always call the API as follows:

GET https://haveibeenpwned.com/api/v2/pwnedpassword/ce0b2b771f7d468c0141918daea704e0e5ad45db?originalPasswordIsAHash=true

That will actually return a 404 as nobody used the hash of "p@55w0rd" as their actual password (at least if they did, it hasn't appeared in plain text or was readily crackable). There's no response body when hitting the API, just 404 when the password isn't found and 200 when it is, for example when just searching for "p@55w0rd" via its hash:
GET https://haveibeenpwned.com/api/v2/pwnedpassword/ce0b2b771f7d468c0141918daea704e0e5ad45db

Just like the other APIs on HIBP, the Pwned Passwords service fully supports CORS so if you really did want to integrate it into a web front end somewhere, you can (I suggest sending only a SHA1 hash if you want to do that, at least it's some additional protection). Also like the other APIs, it's rate limited to one request every 1,500ms per IP address. This is heaps for legitimate web-based use cases.


Introducing 306 Million Freely Downloadable Pwned Passwords
[Troy Hunt]