Is a password that you use actively to protect an account secure? The question is difficult to answer as it depends on your definition of secure.
Secure can mean, among other things, that it cannot be cracked in reasonable time, or that it is not already on a publicly accessible password list.
The Pwned Passwords database of Have I Been Pwned has been updated recently with new password data sets.
The service accepts a password and reveals whether it was found on any of the lists that powers the service's database.
All you have to do is type a password to find out whether it is available in the clear-text format on a public password dump list.
Some users may have reservations when it comes to typing passwords that they use on a site on the Internet. That site, in theory, could use the information for malicious activity. While it requires a username, usually that goes along with it, adding the password to a list to run dictionary attacks against services could have negative consequences for the user who entered it on the site.
That's one reason why you may download the entire database to your local system. It is available as a zipped torrent file; the torrent file has a size of 8.8 Gigabytes and contains a list of 501 million password hashes and password use counts. The archive extracts to a single 30 Gigabytes large text file that many text editors won't open.
Use a free program like Large Text File Viewer to open the text document on your system.
You need to compute the SHA-1 hash of your passwords and may use a free program like HashCalc for that which supports the computation of hashes from text strings among other things.
You'd then search the downloaded database file for that Sha-1 hash to find out if the password leaked before.
Attackers may use public password lists in attacks, especially if passwords are popular.
If a password is found in the database, it is advised to change it and use a password that is not found. Generally speaking, it is best to assume that any password that is listed in the database is known to attackers and should not be used anymore.
Now You: How do you make sure to select secure passwords for accounts?
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.