Version 3 with 517M hashes and counts of password usage ordered by most to least prevalent Pwned Passwords are 517,238,891 real world passwords previously exposed in data breaches. This exposure makes them unsuitable for ongoing use as they re at much greater risk of being used to take over other accounts. They re searchable online below as well as being downloadable for use in other online system. The entire set of passwords is downloadable for free below with each password being represented as a SHA-1 hash to protect the original value (some passwords contain personally identifiable information) followed by a count of how many times that password had been seen in the source data breaches. The list may be integrated into other systems and used to verify whether a password has previously appeared in a data breach after which a system may warn the user or even block the password outright.

The ever-increasing number of data breaches targeting user credentials has become undeniable reality in our digital age. Although there are third-party breach notification services (e.g., Have I Been Pwned, Firefox Monitor) that allow users to check whether their credentials have been involved in data breaches, the number of users who are aware of or use such services may be limited. To better inform users about the breach status of their accounts, we designed a prototype registration system where the website uses readily available information (e.g., email address) to check whether this account was involved in a data breach, and then inform the user about the breach status of the email address while signing up for a website. We investigated the effectiveness of this system by performing an online study (n = 373) in which participants were asked to register to a mock-up website that presented them with a data breach notification based on Protection Motivation Theory (PMT). We found that 64% of participants were exposed in one or more breaches. A follow-up survey, 3 days after the initial survey, was conducted to determine if there were any behavior changes (e.g., changing passwords) of participants whose accounts were involved in some data breaches. We found that 40% of the participants changed their passwords on their some accounts. Finally, we present our qualitative data analysis to shed light on participants’ motivations behind their decisions as well as their perceptions of the integration of our prototype registration system.