Nerdy leaked passwords:
Treebeard - “This password has been seen 1,207 times before in data breaches!”
NedStark - 20 times
CerseiLannister - 30 times
youknownothingjonsnow - 61 times
PicardIsSexy - 0 times (!The_Picard_Maneuver@piefed.world you’re safe. ;)
edit:
Gandalf1 - 53,478
Gandalfthewhite - 51
sexygandalf - 6
NSFW leaked passwords:
spoiler
bigdick - 178,712 (!?!)
bigpussy - 9,226
longpussy - 26
longdick - 10,762
wetpussy - 61,575
wetdick - 579
twat - 6,588
dickhead - 201,942
Blueballs69 - 520
Weird leaked passwords:
BillClinton - 378
DonaldTrump123 - 792
youwillneverguessmypassword - 390
redgreenblue - 2,040
123qweasdzxc - 1,010,515
poopstick - 6,845
((More to come later))
For those worried about inputting a password into a tool like this, they’ve actually done a great job keeping your pass secure.
Passwords entered on this site do not get transmitted to the server. Instead, they are hashed, then only the first half of the hash is sent to the server. The server replies with a list of every password hash they’ve found in leaks that match the partial hash you sent them. Your computer then looks through the list and tells you if the password you entered (which was kept on your pc, not transmitted) exists in that list.
From Haveibeenpwneds perspective; they sent you a big list of potential matches, but don’t know which one if any actually matches your password, because they were never given the full hash, let alone the raw password.
There’s even an open-source script you can run that does this within a console instead of a browser. Or, you can download their whole password DB via their github tools, then check it entirely offline.
So, a malicious JavaScript library update then…
The open-source local script might be better, I’ll have to check into that!
You could say the same about every password entry field; but that’s why there are local/alternative options here.
Alternatively just hash your password with SHA-1 or NTLM and put the first 5 character of the hash into this link: https://api.pwnedpasswords.com/range/{first-5-hash-chars} then check the results for the rest of the characters of your hash.
Example flow:
Your password: 1234
Runecho -n "1234" | sha1sum | awk '{ print toupper($0) }'or some other method to locally generate the SHA-1 hash
Resulting SHA-1 Hash: 7110EDA4D09E062AA5E4A390B0A572AC0D2C0220
Split off 5: 7110E - DA4D09E062AA5E4A390B0A572AC0D2C0220
Open Link https://api.pwnedpasswords.com/range/7110E
Search for DA4D09E062AA5E4A390B0A572AC0D2C0220
Find: DA4D09E062AA5E4A390B0A572AC0D2C0220:30272674
So this password appears a bit over 30 million times in the breach data he has.All Troy gets from you, if you do this, is the first 5 characters of your hash, which is pretty useless.
I don’t know if I want to be putting my passwords in to something like this lol
If you’re worried, send them to me and I’ll check for you.
hunter2
Yeah that one is used, you should change it
I just see *******
Oh lol that one is old
FYI: hunter2 was used by 65,744 accounts. hahaha
I am both impressed and horrified by this fact.
yezzir
deleted by creator
It makes a cryptographically-secure hash of the password you enter, then truncates that before sending it to the server so the only information they get would be in common with a huge number of other passwords. They then send back the leaked passwords with the same truncated hash, and your computer checks to see if what you’ve entered matches anything on the list. It’s not practical to send the whole list for every query as there’s just too much data, but if you don’t trust their site, you can just download the whole list and check against it yourself.
I dont think its a good idea to give them your password
This functionality is built-in to bitwarden, they can safely check your entire vault for known breaches
They’re missing a real opportunity here- when someone enters the “password” 12345, which 31,033,620 times by the way, their page should immediately display this
