Is "Have I Been Pwned's" Pwned Passwords List really that useful?

Disclaimer: I am the author, creator, owner and maintainer of Have I Been Pwned and the linked Pwned Passwords service.

Let me clarify all the points raised here:

The original purpose of HIBP was to enable people to discover where their email address had been exposed in data breaches. That remains the primary use case for the service today and there's almost 5B records in there to help people do that.

I added Pwned Passwords in August last year after NIST released a bunch of advice about how to strengthen authentication models. Part of that advice included the following:

When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example, the list MAY include, but is not limited to: Passwords obtained from previous breach corpuses.

That's what Pwned Passwords addresses: NIST advised "what" you should do but didn't provide the passwords themselves. My service addresses the "how" part of it.

Now, practically, how much difference does it make? Is it really as you say in that it's just like a one in a million front door key situation? Well firstly, even if it was, the IRL example breaks down because there's no way some anonymous person on the other side of the world can try your front door key on millions of door in a rapid-fire, anonymous fashion. Secondly, the distribution of passwords is in no way linear; people choose the same crap ones over and over again and that puts those passwords at much higher risks than the ones we rarely see. And finally, credential stuffing is rampant and it's a really serious problem for organisations with online services. I continually hear from companies about the challenges they're having with attackers trying to login to people's accounts with legitimate credentials. Not only is that hard to stop, it may well make the company liable - this popped up just last week: "The FTC’s message is loud and clear: If customer data was put at risk by credential stuffing, then being the innocent corporate victim is no defence to an enforcement case" https://biglawbusiness.com/cybersecurity-enforcers-wake-up-to-unauthorized-computer-access-via-credential-stuffing/

Having seen a password in a data breach before is only one indicator of risk and it's one that each organisation using the data can decide how to handle. They might ask users to choose another one if it's been seen many times before (there's a count next to each one), flag the risk to them or even just silently mark the account. That's one defence along with MFA, anti-automation and other behavioural based heuristics. It's merely one part of the solution.

And incidentally, people can either use the (freely available) k-Anonymity model via API which goes a long way to protecting the identity of the source password or just download the entire set of hashes (also freely available) and process them locally. No licence terms, no requirement for attribution, just go and do good things with it :)


This answer refers solely to the original HIBP part of Troy's site, before the question was updated. Please read Troy's post for specifics on the Pwned Passwords section of it.

That is not at all what it is for. It isn't actually even an indication if it has been used - just an indication that it has been leaked.

Its use comes in knowing that attackers are likely to have your email address and password...

Which they can then use anywhere you have used that set of credentials. And it is an amazingly successful attack technique.

Obviously, if you only ever use a password on one particular site, and it bears no relationship to passwords used on other sites, then once you change that password you are as safe as you can be. In fact, the general guidance is that the key trigger for password change should be suspicion of a breach.

You do that, right?


Yes, someone in the world will have the same front door key as you because (for a common type of lock) there are only 5^6 = 16 000 possible combinations. But for a door key, you need to physically try each house before you get in anywhere. In the digital world, you can try a million 'houses' in a few minutes.

A password of 8 alphanumeric characters (a-z, A-Z, and 0-9) already has (26+26+10)^8 = 218 340 000 000 000 combinations, so with only 8 billion people on the planet, it's unlikely many people have the same one. If you share a password with someone else, that means your pick wasn't random enough, and therefore it is probably guessable by an attacker as well.

When doing pentests, one of the things we do is look for @<company>.com addresses in public data breaches. We often find at least a hash (which we can often crack), and sometimes we even find plaintext passwords. Those passwords, used on random websites, are sometimes also working credentials on company servers.

Password reuse is a big problem if you use the wrong password in a place which later gets hacked. HaveIBeenPwned tells you whether this applies to you, and if so, where. You know where else you used that password so you can change it.

But looking for a password is only part of the site. I think the "where did breaches occur" part (identified by your username or email address) is equally or more useful, as you will know which passwords it involved and which need changing.