Troy Hunt has updated the haveibeenpwned list of pwned passwords, which now contains a staggering 501 million compromise passwords (as SHA1 hashes). It now also includes a count of how many time that password has been found, so you can see just how poor your password choices are!
I have updated my offline password checking program to work with the new file format. The counts appended to each line made the binary search slightly harder.
It is still open source, available under the MIT Licence. This means you can do pretty much what ever you want with it and make sure it isn’t doing anything nefarious with your passwords.
Do not enter passwords you use on the haveibeenpwned website or in the app while using the web API. If you don’t understand why, please consult your nearest smart friend.
Warning over. I am tempted to remove the web API from my application since if you use it, you may as well just use the website. It is useful for testing however. To check offline you will need to download 9GB zip file, then extract the full 31GB text file. Make sure you get the version that is sorted by hash, since this is required to perform a quick binary search. The other version won’t work!
In addition to Cloudflare kindly cashing the files, they are now available as torrents. That should make it easier to download them on a bad connection, and take the strain of Troy’s website.
Find the offline password searcher on GitHub here
More info and updates here. Hopefully I will do a user guide soon as well.