In my opinion, haveibeenpwned is the best website to find out about the security of your password. It has gone through a few versions over the years, each version bringing an overall increase in the database of hacked passwords. August 2017 version 1 had a whooping 320 million unsafe passwords. By February this year, the second version reached a little over 500 million passwords. Now the third version is here, and about 15.6 million passwords have been added bringing the total password count to 517,238,891. Now that’s a lot.
What exactly is this website?
This site is the go-to choice when in doubt. It contains a database of over half a billion passwords which have been involved in past data breaches. Passwords in the list are considered insecure because they are likely to be reused in upcoming data breaches. Needless to say, if your password is on the list, you should change it. Fast.
How is it used?
Simply navigate to the website. You come across the search bar. Type in your password and you’re good to go. I personally tried out the tool, and I can’t say whether or not I was pleased with the results. On the bright site, the tool works. Unfortunately for me, my password was unsafe and had been seen in previous data breaches. It looks like I’ll need a password change right away.
Another interesting feature was what lay underneath the search bar, showing how many times my password has been used in data breaches. In my case, it was seen 59 times. That’s impressive and scary at the same time. Repeat passwords are often how people are hacked on more secure websites. The statistics say V3 was supposed to add over 194 million passwords. It was narrowed down to 15.6 million because the rest already existed in the system. Reused passwords are popular, and in most cases, they end in disaster. Reason why one should ensure his/her password is as unique as possible. Reports say the worst password is still “123456”, same as from V2. The impressive part is it has risen from been seen 20,760,336 times to 22,390,492 times.
What else?
The entire password list is freely available for download on the website in both the “torrent” link and “Cloudflare” link, stored in SHA-1 hash. It also contains numeric data on how many times the password has been in use. Ordered by prevalence, the file download size reached over 10GB. It’s a good thing the list is made public, because companies can attach the list to online authentication forms and prohibit the use of any insecure password available on the list. Of course, malicious individuals can also put this to good use. Credential stuffing is the technique where by hackers put such a password list in an automated login system. Each password and a corresponding email or username is tried out until success is achieved. With half a billion passwords here, success is likely.