Published base with 320 million unique passwords (5.5 GB)
Checking accounts for survivability
One of the main rules when choosing a password is not to use a password that has already appeared in any hack and has got into one of the databases accessible to attackers. Even if your password contains 100,500 characters, but it is there - it’s bad. For example, because in the program for brute force passwords you can download this database as a vocabulary list. What do you think, what percentage of hashes does it hack just by checking the entire vocabulary list? Probably about 75% (for real statistics, see below).
So, how do we know what passwords intruders have? Thanks to security specialist Troy Hunt, you can check these bases. Moreover, they can be downloaded to your computer and used for your needs. These are two text files in archives: from 306 million passwords (5.3 GB) and from 14 million passwords (250 MB).
Bases lie on this page .
')
All passwords in the database are presented as SHA1 hashes. Before hashing, all characters are converted to upper case (capital letters). Troy Hunt says he used the HASHBYTES function, which translates hashes into upper case. So making your hash should follow a similar procedure if you want to find a match.
Direct links:
https://downloads.pwnedpasswords.com/passwords/pwned-passwords-1.0.txt.7z
(306 million passwords, 5.3 GB), mirror
SHA1 hash of the 7-Zip file: 90d57d16a2dfe00de6cc58d0fa7882229ace4a53
SHA1 hash text file: d3f3ba6d05b9b451c2b59fd857d94ea421001b16
Unzipped text file is 11.9 GB.
https://downloads.pwnedpasswords.com/passwords/pwned-passwords-update-1.txt.7z
(14 million passwords, 250 MB), mirror
SHA1 hash of the 7-Zip file: 00fc585efad08a4b6323f8e4196aae9207f8b09f
SHA1 hash of the text file: 3fe6457fa8be6da10191bffa0f4cec43603a9f56
If you are
GET https://haveibeenpwned.com/api/v2/pwnedpassword/ce0b2b771f7d468c0141918daea704e0e5ad45db?originalPasswordIsAHash=true But it's still safer to check your password offline. Therefore, Troy Hunt laid out the bases in open access on a cheap hosting. He refused to sit down a torrent , because it “would make it difficult for people to access information” - many organizations block torrents, and for him a little money for hosting means nothing.
Hunt tells where he got these bases. He says there were many sources. For example, the base Exploit.in contains 805 499 391 email addresses with passwords. Hunt's task was to extract unique passwords, so he immediately began the analysis for coincidences. It turned out that the database contains only 593,427,119 unique addresses and only 197,602,390 unique passwords. This is a typical result: the absolute majority of passwords (in this case, 75%) are not unique and are used by many people. Actually, this is why a recommendation is given after generating your master password to verify it against the database.
The second largest source of information was Anti Public: 562 077 488 lines, 457 962 538 unique email addresses and another 96 684 629 unique passwords that were not in the base of Exploit.in.
Troy Hunt does not name the remaining sources, but in the end he got 306 259 512 unique passwords. The next day, he added another 13,675,934, again from an unknown source - these passwords are distributed in a separate file.
So now the total number of passwords is 319,935,446 pieces. These are truly unique passwords that have been deduplicated. Of several password versions (P @ 55w0rd and p @ 55w0rd), only one is added to the database (p @ 55w0rd).
After Troy Hunt asked on Twitter what kind of cheap hosting he could be advised, the well-known organization Cloudflare came to him and offered to download files for free. Troy agreed. So feel free to download files from the hosting, it is free for the author.
Source: https://habr.com/ru/post/357402/
All Articles