This project is a way for you to verify your passwords have not been included in Troy Hunt's Have I Been Pwned password lists. If you want to try it out, you can head over to the website and enter a password there. If you are concerned about sending passwords to a third-party site, and still want to verify that your password has not been leaked (yet), you can use this tool instead.
It will download and unzip 3 (or more) password lists, which weigh in at a
whopping 5.6GB compressed. When uncompressed, they are 13.5GB. The files will be
downloaded to the present working directory you are in. The only hard dependency
7z binary in your
You can run it in three ways. Scripted, programmatically, and interactive. Interactive is recommended to avoid having your password entered in scripts, in your shell history, and in the process listing in ps/top/etc. If you have many passwords to check, you can use it programmatically and loop over your passwords. Interactive mode prompts you for a password to enter, masks it as you enter it, hashes/searches, and prints the result.
You can also run it with
npx, simply use
npx pwned-check. If you have
version 5 or later, you already have
It will perform a radix based search through the files to determine if the hash
is included in the dump files as the files are sorted and the lines are fixed
length hexidecimal strings, and the distribution is close to unform. This is
more efficient than a binary search, as it perform
Note that it does not construct a radix tree, so it is less efficient in the
search, with the tradeoff that there is no lengthy preproccessing required to
build the tree. Also note that this is only possible because the files are
Disclaimer: This is not an official Google project.
Apache Version 2.0