Troy Hunt, the security expert behind Have I Been Pwned (HIBP), has released 306 million previously-pwned passwords in a bid to help individuals and companies ramp up their online security. The passwords have been mined from dozens of data breaches, and now anyone can download them for free.
HIBP lets someone see if their email address has appeared in a breach, but doesn't reveal the associated password for that particular compromised service. Now, Hunt -- who has written extensively on password protection -- has flipped the model on its head, making passwords searchable without the associated email address or username.
Companies can use the data in their back-end systems to improve password security. When someone registers a new account the provider can compare their chosen password with the list, and warn them if it's been compromised before. They can then be encouraged or forced to choose a more secure alternative.
Individuals can also play with the data online, although Hunt advises you don't check any passwords you currently use, for obvious security reasons. "The intention is to use that in a retrospective fashion," he writes in a recent blog post announcing the service.
"As well as people checking passwords they themselves may have used, I'm envisaging more tech-savvy people using this service to demonstrate a point to friends, relatives and co-workers: 'you see, this password has been breached before, don't use it!'" he says. "If this one thing I've learned over the years of running this service, it's that nothing hits home like seeing your own data pwned."
The service has largely been prompted by revised password guidance from the National Institute of Standards and Technology (NIST) and the UK's National Cyber Security Centre, which very clearly states providers shouldn't allow people to use a password that's been breached before. But with 306 million passwords now blacklisted, coming up with a suitable new one could take a while.