A security researcher has released an updated list of 500 million breached passwords so that organizations can use it to protect their systems.

On 22 February, Australian web security expert Troy Hunt published the second version of “Pwned Passwords.” The feature enables users to check a new or used password against a list of 501,636,842 combinations previously compromised by data breaches. In so doing, organizations can leverage the feature to ensure users are choosing secrets that are unaffected by any known security incidents.

People can either download the entire list or use an online search tool to verify their passwords. If they choose the latter, the utility will notify users if their password is contained in the list. It will also display a number that indicates how many times the service found their secret across the various data sources of which it consists.

Pwned Passwords v2 (Source: Troy Hunt)

Such a feature has many potential applications in the security world. 1Password recognized one when it integrated the feature’s k-Anonymity model into its password manager. This fusion lets users gauge their exposure should they choose to opt into 1Password’s new option.

As with the first version of the feature, Hunt decided to SHA-1 hash the entries contained in Pwned Passwords. He did so not because he thinks SHA-1 is a sufficiently robust algorithm for protecting sensitive data like passwords. Rather, he believes it’s important to “to ensure that any personal info in the source data is obfuscated such (Read more...)