Earlier this month, security researcher Troy Hunt of HaveIBeenPwned.com acclaim published the second version of “Pwned Passwords.”
The searchable feature includes “half a billion real-world passwords previously exposed in data breaches. This exposure makes them unsuitable for ongoing use as they’re at much greater risk of being used to take over other accounts,” according to the website.
Hunt’s website also allows you to see if a data breach has exposed your email address or username.
We tested out the new password feature and found an old password we used around 20 years ago across multiple websites and platforms (long before the advice to create a strong, unique password for each site was ubiquitous) had been pwned 18,417 times, which is nothing compared to how many times the password “password” has been pwned — a stunning 3.3 million times.
This handy tool now gives people a way to double check their password against passwords that have been leaked in existing data breaches.
You can also download the entire set of passwords for free.
“The list may be integrated into other systems and used to verify whether a password has previously appeared in a data breach after which a system may warn the user or even block the password outright.” There’s a handy blog post that has suggestions on integration practices. Essentially businesses can use these passwords to protect their own systems.
Create A Strong Password With These Tips
So here are our guidelines for creating a strong password, based on the most recent best practice recs:
- Passwords should be at least 8 characters in length. Longer is better.
• Passphrases work well. Again, the longer the better.
• Lowercase letters and typical English words are OK.
• Random is better — skip the lyrics from a song or text from your favorite book.
• There’s no need to use special characters and both lower and uppercase letters.
If this is overwhelming to you, check out our post on how to use the Diceware method to come up with your new password.
And then, when you’re all done, go ahead and run it through haveibeenpwned’s handy tool to double check it hasn’t already been compromised.
LibertyID provides expert, full service, fully managed identity theft restoration to individuals, couples, extended families* and businesses. LibertyID has a 100% success rate in resolving all forms of identity fraud on behalf of our subscribers.
*Extended families – primary individual, their spouse/partner, both sets of parents (including those that have been deceased for up to a year), and all children under the age of 25