Back to Home

Published database with 320 million unique passwords (5.5 GB)

passwords · hashes · brute force

Published database with 320 million unique passwords (5.5 GB)


    Checking accounts for survivability

    One of the main rules when choosing a password is not to use a password that has already been revealed in some hacking and has ended up in one of the databases accessible to attackers. Even if your password has 100500 characters, but it is there, it’s bad. For example, because you can load this database into a program for bruteforce passwords as a dictionary list. What percentage of hashes do you think she’ll crack by simply checking the entire dictionary list? Probably about 75% (see statistics below).

    So, how do we know what passwords attackers have? Thanks to security specialist Troy Hunt, you can check these bases. Moreover, they can be downloaded to your computer and used for your needs. These are two text files in archives: with 306 million passwords (5.3 GB) and with 14 million passwords (250 MB).

    The bases are on this page .

    All passwords in the database are represented as SHA1 hashes. Before hashing, all characters are uppercase (uppercase). Troy Hunt says he applied the HASHBYTES function , which translates hashes to uppercase. So, making your own hash, you should carry out a similar procedure if you want to find a match.

    Direct links:


    https://downloads.pwnedpasswords.com/passwords/pwned-passwords-1.0.txt.7z
    (306 million passwords, 5.3 GB), mirror
    SHA1 hash of the 7-Zip file: 90d57d16a2dfe00de6cc58d0fa7882229ace4a53
    SHA1 hash of the text file: d3f3ba6d05b9b451c2b59fd857d94ea421001b16 Unzipped

    , the text file occupies 11.9 GB.

    https://downloads.pwnedpasswords.com/passwords/pwned-passwords-update-1.txt.7z
    (14 million passwords, 250 MB), mirror
    SHA1 hash of the 7-Zip file: 00fc585efad08a4b6323f8e4196aae9207f8b09f
    SHA1 hash of the text file: 3fe6457fa8be6da10191bffa0f4cec43603a9f56

    If you are stupid fearless, then on the same pageYou can enter your unique password and check it for availability in the databases without downloading them. Troy Hunt promises that he will not use your password in any way and his service is absolutely reliable. “Do not send your actively used password to any service - even this one!”, - is warned on the page. The programming interfaces of this service are fully documented ; they accept SHA1 hashes in this way:

    GET https://haveibeenpwned.com/api/v2/pwnedpassword/ce0b2b771f7d468c0141918daea704e0e5ad45db?originalPasswordIsAHash=true

    But it’s still more reliable to check your password offline. Therefore, Troy Hunt laid out the database in open access on a cheap hosting. He refused to torrent torrents because it “will make it difficult for people to access information” - many organizations block torrents, and for him a little money for hosting means nothing.

    Hunt tellswhere he got these bases. He says that there were many sources. For example, the Exploit.in database contains 805,499,391 email addresses with passwords. Hunt's task was to extract unique passwords, so he immediately began a match analysis. It turned out that the database contains only 593,427,119 unique addresses and only 197,602,390 unique passwords. This is a typical result: the vast majority of passwords (in this case, 75%) are not unique and are used by many people. Actually, that's why a recommendation is given after generating your master password to compare it against the database.

    The second largest source of information was Anti Public: 562,077,488 lines, 457,962,538 unique email addresses and another 96,684,629 unique passwords that were not in the Exploit.in database.

    Troy Hunt does not name the rest of the sources, but in the end he got 306,259,512 unique passwords. The next day, he added another 13,675,934, again from an unknown source - these passwords are distributed in a separate file.

    So now the total number of passwords is 319,935,446 pieces. These are truly unique passwords that have been deduplicated. Out of several password versions (P @ 55w0rd and p @ 55w0rd), only one is added to the database (p @ 55w0rd).

    After Troy Hunt asked on Twitter what cheap hosting he could be advised, the well-known Cloudflare organization came to him and offered to upload files for free. Troy agreed. So feel free to download files from the hosting, it’s free for the author.

    Read Next