Have I Been Pwned: Pwned Passwords
haveibeenpwned.com
Pwned Passwords is a huge corpus of previously breached passwords made freely available to help services block them from being used again.

Nerdy leaked passwords:

Treebeard - “This password has been seen 1,207 times before in data breaches!”

NedStark - 20 times

CerseiLannister - 30 times

youknownothingjonsnow - 61 times

PicardIsSexy - 0 times (!The_Picard_Maneuver@piefed.world you’re safe. ;)

edit:

Gandalf1 - 53,478

Gandalfthewhite - 51

sexygandalf - 6

NSFW leaked passwords:

spoiler

bigdick - 178,712 (!?!)

bigpussy - 9,226

longpussy - 26

longdick - 10,762

wetpussy - 61,575

wetdick - 579

twat - 6,588

dickhead - 201,942

Blueballs69 - 520

Weird leaked passwords:

BillClinton - 378

DonaldTrump123 - 792

youwillneverguessmypassword - 390

redgreenblue - 2,040

123qweasdzxc - 1,010,515

poopstick - 6,845

((More to come later))

  • Darkassassin07@lemmy.caEnglish
    87·
    4 days ago

    For those worried about inputting a password into a tool like this, they’ve actually done a great job keeping your pass secure.

    Passwords entered on this site do not get transmitted to the server. Instead, they are hashed, then only the first half of the hash is sent to the server. The server replies with a list of every password hash they’ve found in leaks that match the partial hash you sent them. Your computer then looks through the list and tells you if the password you entered (which was kept on your pc, not transmitted) exists in that list.

    From Haveibeenpwneds perspective; they sent you a big list of potential matches, but don’t know which one if any actually matches your password, because they were never given the full hash, let alone the raw password.

    There’s even an open-source script you can run that does this within a console instead of a browser. Or, you can download their whole password DB via their github tools, then check it entirely offline.

    • Kazumara@discuss.tchncs.deEnglish
      5·
      4 days ago

      Alternatively just hash your password with SHA-1 or NTLM and put the first 5 character of the hash into this link: https://api.pwnedpasswords.com/range/{first-5-hash-chars} then check the results for the rest of the characters of your hash.

      Example flow:

      Your password: 1234
      Run echo -n "1234" | sha1sum | awk '{ print toupper($0) }' or some other method to locally generate the SHA-1 hash
      Resulting SHA-1 Hash: 7110EDA4D09E062AA5E4A390B0A572AC0D2C0220
      Split off 5: 7110E - DA4D09E062AA5E4A390B0A572AC0D2C0220
      Open Link https://api.pwnedpasswords.com/range/7110E
      Search for DA4D09E062AA5E4A390B0A572AC0D2C0220
      Find: DA4D09E062AA5E4A390B0A572AC0D2C0220:30272674
      So this password appears a bit over 30 million times in the breach data he has.

      All Troy gets from you, if you do this, is the first 5 characters of your hash, which is pretty useless.

    • thejml@sh.itjust.worksEnglish
      112·
      4 days ago

      So, a malicious JavaScript library update then…

      The open-source local script might be better, I’ll have to check into that!

      • Darkassassin07@lemmy.caEnglish
        20·
        4 days ago

        You could say the same about every password entry field; but that’s why there are local/alternative options here.