Need a new password? Here are 306 million to avoid
If you're in the market for new, unique password, Troy Hunt has a trove of what you don't want.
Hunt, the security expert behind the Have I Been Pwned website, on Thursday released a searchable tool that contains 306 million previously compromised passwords. The tool's database of passwords, collected from dozens of data breaches, aims to help individuals and companies improve their online security.
With data breaches out of your control, it's imperative to choose passwords that can withstand brute-force attacks. Ideally, your passwords should be at least 16 characters, mixing numbers and symbols with uppercase and lowercase letters. But even the most secure password in the world is useless if it's already accessible in a hacker's toolkit.
Hunt's website already lets users see if their email address has been exposed in a breach -- without associated passwords, of course. This new tool flips that model around to show passwords, sans usernames.
Hunt cautions against using the tool to test passwords you are already actively using, as that exposes another password option to third parties.
"As well people checking passwords they themselves may have used, I'm envisaging more tech-savvy people using this service to demonstrate a point to friends, relatives and co-workers: "you see, this password has been breached before, don't use it!" Hunt wrote in a blog post. "If this one thing I've learned over the years of running this service, it's that nothing hits home like seeing your own data pwned."
Recent guidance by the National Institute of Standards and Technology recommends sites check potential passwords against previous data breaches to ensure they are totally unique. But with a database of 306 million rejects, coming up with a unique one may prove a daunting task.