Earlier this month, security researcher Troy Hunt of HaveIBeenPwned.com acclaim published the second version of “Pwned Passwords.”
The searchable feature includes “half a billion real-world passwords previously exposed in data breaches. This exposure makes them unsuitable for ongoing use as they’re at much greater risk of being used to take over other accounts,” according to the website.
Hunt’s website also allows you to see if a data breach has exposed your email address or username.
We tested out the new password feature and found an old password we used around 20 years ago across multiple websites and platforms (long before the advice to create a strong, unique password for each site was ubiquitous) had been pwned 18,417 times, which is nothing compared to how many times the password “password” has been pwned — a stunning 3.3 million times.
This handy tool now gives people a way to double check their password against passwords that have been leaked in existing data breaches.
You can also download the entire set of passwords for free.
“The list may be integrated into other systems and used to verify whether a password has previously appeared in a data breach after which a system may warn the user or even block the password outright.” There’s a handy blog post that has suggestions on integration practices. Essentially businesses can use these passwords to protect their own systems.
Create A Strong Password With These Tips
So here are our guidelines for creating a strong password, based on the most recent best practice recs:
- Passwords should be at least 8 characters in length. Longer is better.
• Passphrases work well. Again, the longer the better.
• Lowercase letters and typical English words are OK.
• Random is better — skip the lyrics from a song or text from your favorite book.
• There’s no need to use special characters and both lower and uppercase letters.
If this is overwhelming to you, check out our post on how to use the Diceware method to come up with your new password.
And then, when you’re all done, go ahead and run it through haveibeenpwned’s handy tool to double check it hasn’t already been compromised.
LibertyID is the AAA of identity theft protection, offering the most effective identity theft restoration and protection service. Members rest easy knowing that if their identity is stolen, we will fix it. There’s no limit to the time or money we will spend restoring your identity to pre-event status. A certified restoration specialist will handle all of the legwork and keep you informed with regular status updates. But just like with AAA, you have to be covered before there’s an incident.