Pwned Password
What is Pwned Password?
Pwned PasswordA password that has appeared in a known data breach and therefore must never be allowed as a user secret, as catalogued by Troy Hunt's Have I Been Pwned service.
A pwned password is one that already appears in publicly known breach corpora and is consequently part of the dictionaries that attackers feed into credential-stuffing and password-spraying tools. The canonical reference is the Pwned Passwords dataset published by Troy Hunt's Have I Been Pwned (HIBP), which currently exposes more than a billion unique SHA-1 hashes through a k-anonymity API: callers send only the first five hex characters of the hash and receive the matching suffix list, so the candidate password never leaves the client. NIST SP 800-63B section 5.1.1.2 explicitly requires comparison of new and changed passwords against such breach corpora. Cloudflare, 1Password, Okta and many other vendors have integrated the HIBP API into sign-up and password-change flows.
● Examples
- 01
A user sets password 'P@ssw0rd123' and the registration form blocks it because it appears 3M+ times in HIBP.
- 02
Active Directory module that periodically checks all account NTLM hashes against the offline Pwned Passwords corpus.
● Frequently asked questions
What is Pwned Password?
A password that has appeared in a known data breach and therefore must never be allowed as a user secret, as catalogued by Troy Hunt's Have I Been Pwned service. It belongs to the Identity & Access category of cybersecurity.
What does Pwned Password mean?
A password that has appeared in a known data breach and therefore must never be allowed as a user secret, as catalogued by Troy Hunt's Have I Been Pwned service.
How does Pwned Password work?
A pwned password is one that already appears in publicly known breach corpora and is consequently part of the dictionaries that attackers feed into credential-stuffing and password-spraying tools. The canonical reference is the Pwned Passwords dataset published by Troy Hunt's Have I Been Pwned (HIBP), which currently exposes more than a billion unique SHA-1 hashes through a k-anonymity API: callers send only the first five hex characters of the hash and receive the matching suffix list, so the candidate password never leaves the client. NIST SP 800-63B section 5.1.1.2 explicitly requires comparison of new and changed passwords against such breach corpora. Cloudflare, 1Password, Okta and many other vendors have integrated the HIBP API into sign-up and password-change flows.
How do you defend against Pwned Password?
Defences for Pwned Password typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Pwned Password?
Common alternative names include: Compromised password, Breached password, HIBP password.
● Related terms
- identity-access№ 798
Password Policy
A documented set of rules governing how user passwords are created, stored, rotated, and validated to balance security against usability for the workforce.
- identity-access№ 795
Password
A secret string of characters that a user supplies to prove identity to a system, traditionally the dominant single-factor authentication mechanism.
- attacks№ 232
Credential Stuffing
An automated attack that replays large lists of username/password pairs leaked from one service against other services, exploiting password reuse to take over accounts.
- attacks№ 800
Password Spraying
A low-and-slow attack that tries a small set of common passwords against many user accounts, staying under lockout and rate-limit thresholds.
- attacks№ 275
Data Breach
A confirmed security incident in which an unauthorised party accesses, exfiltrates, or discloses sensitive, protected, or confidential information.
- identity-access№ 797
Password Manager
An application that generates, stores, and autofills strong unique credentials, secured by a master passphrase and increasingly by passkeys.
● See also
- № 796Password Entropy