this post was submitted on 05 Feb 2026
161 points (99.4% liked)

Today I Learned

27892 readers
447 users here now

What did you learn today? Share it with us!

We learn something new every day. This is a community dedicated to informing each other and helping to spread knowledge.

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules (interactive)

Rule 1- All posts must begin with TIL. Linking to a source of info is optional, but highly recommended as it helps to spark discussion.

** Posts must be about an actual fact that you have learned, but it doesn't matter if you learned it today. See Rule 6 for all exceptions.**

Rule 2- Your post subject cannot be illegal or NSFW material.

Your post subject cannot be illegal or NSFW material. You will be warned first, banned second.

Rule 3- Do not seek mental, medical and professional help here.

Do not seek mental, medical and professional help here. Breaking this rule will not get you or your post removed, but it will put you at risk, and possibly in danger.

Rule 4- No self promotion or upvote-farming of any kind.

That's it.

Rule 5- No baiting or sealioning or promoting an agenda.

Posts and comments which, instead of being of an innocuous nature, are specifically intended (based on reports and in the opinion of our crack moderation team) to bait users into ideological wars on charged political topics will be removed and the authors warned - or banned - depending on severity.

Rule 6- Regarding non-TIL posts.

Provided it is about the community itself, you may post non-TIL posts using the [META] tag on your post title.

Rule 7- You can't harass or disturb other members.

If you vocally harass or discriminate against any individual member, you will be removed.

Likewise, if you are a member, sympathiser or a resemblant of a movement that is known to largely hate, mock, discriminate against, and/or want to take lives of a group of people, and you were provably vocal about your hate, then you will be banned on sight.

For further explanation, clarification and feedback about this rule, you may follow this link.

Rule 8- All comments should try to stay relevant to their parent content.

Rule 9- Reposts from other platforms are not allowed.

Let everyone have their own content.

Rule 10- Majority of bots aren't allowed to participate here.

Unless included in our Whitelist for Bots, your bot will not be allowed to participate in this community. To have your bot whitelisted, please contact the moderators for a short review.

Partnered Communities

You can view our partnered communities list by following this link. To partner with our community and be included, you are free to message the moderators or comment on a pinned post.

Community Moderation

For inquiry on becoming a moderator of this community, you may comment on the pinned post of the time, or simply shoot a message to the current moderators.

founded 2 years ago
MODERATORS
Rooki@lemmy.world
_MoveSwiftly@lemmy.world
Thekingoflorda@lemmy.world
DriftingDeep@lemmy.world
ericisshort@lemmy.world
Decoy321@lemmy.world
161
TIL: Besides offering a free compromised email check, haveibeenpwned.com also offers a free password compromise checking service (It's also fun to see what weird passwords have been used/leaked.) (haveibeenpwned.com)
submitted 3 days ago* (last edited 2 days ago) by TehBamski@lemmy.world to c/til@lemmy.world
51 comments fedilink hide all child comments
 

Nerdy leaked passwords:

Treebeard - "This password has been seen 1,207 times before in data breaches!"

NedStark - 20 times

CerseiLannister - 30 times

youknownothingjonsnow - 61 times

PicardIsSexy - 0 times (!The_Picard_Maneuver@piefed.world you're safe. ;)

edit:

Gandalf1 - 53,478

Gandalfthewhite - 51

sexygandalf - 6

NSFW leaked passwords:

spoilerbigdick - 178,712 (!?!)

bigpussy - 9,226

longpussy - 26

longdick - 10,762

wetpussy - 61,575

wetdick - 579

twat - 6,588

dickhead - 201,942

Blueballs69 - 520

Weird leaked passwords:

BillClinton - 378

DonaldTrump123 - 792

youwillneverguessmypassword - 390

redgreenblue - 2,040

123qweasdzxc - 1,010,515

poopstick - 6,845

((More to come later))

top 50 comments
sorted by: hot top controversial new old
[–] Darkassassin07@lemmy.ca 66 points 3 days ago* (last edited 3 days ago) (3 children)

For those worried about inputting a password into a tool like this, they've actually done a great job keeping your pass secure.

Passwords entered on this site do not get transmitted to the server. Instead, they are hashed, then only the first half of the hash is sent to the server. The server replies with a list of every password hash they've found in leaks that match the partial hash you sent them. Your computer then looks through the list and tells you if the password you entered (which was kept on your pc, not transmitted) exists in that list.

From Haveibeenpwneds perspective; they sent you a big list of potential matches, but don't know which one if any actually matches your password, because they were never given the full hash, let alone the raw password.

There's even an open-source script you can run that does this within a console instead of a browser. Or, you can download their whole password DB via their github tools, then check it entirely offline.

[–] Kazumara@discuss.tchncs.de 4 points 2 days ago* (last edited 2 days ago)

Alternatively just hash your password with SHA-1 or NTLM and put the first 5 character of the hash into this link: https://api.pwnedpasswords.com/range/%7Bfirst-5-hash-chars%7D then check the results for the rest of the characters of your hash.

Example flow:

Your password: 1234
Run echo -n "1234" | sha1sum | awk '{ print toupper($0) }' or some other method to locally generate the SHA-1 hash
Resulting SHA-1 Hash: 7110EDA4D09E062AA5E4A390B0A572AC0D2C0220
Split off 5: 7110E - DA4D09E062AA5E4A390B0A572AC0D2C0220
Open Link https://api.pwnedpasswords.com/range/7110E
Search for DA4D09E062AA5E4A390B0A572AC0D2C0220
Find: DA4D09E062AA5E4A390B0A572AC0D2C0220:30272674
So this password appears a bit over 30 million times in the breach data he has.

[–] And009@lemmynsfw.com 3 points 2 days ago

Thanks, FBI.

[–] thejml@sh.itjust.works 8 points 3 days ago (1 children)

So, a malicious JavaScript library update then...

The open-source local script might be better, I'll have to check into that!

[–] Darkassassin07@lemmy.ca 15 points 3 days ago

You could say the same about every password entry field; but that's why there are local/alternative options here.

[–] THE_GR8_MIKE@lemmy.world 35 points 3 days ago (9 children)

I don't know if I want to be putting my passwords in to something like this lol

[–] panda_abyss@lemmy.ca 38 points 3 days ago (3 children)

If you’re worried, send them to me and I’ll check for you.

[–] Lawnman23@lemmy.world 26 points 3 days ago (3 children)

hunter2

[–] TehBamski@lemmy.world 6 points 2 days ago (2 children)

FYIL hunter2 was used by 65,744 accounts. hahaha

[–] Lawnman23@lemmy.world 1 points 2 days ago

I am both impressed and horrified by this fact.

[–] FiskFisk33@startrek.website 1 points 2 days ago

oh fuck me

[–] panda_abyss@lemmy.ca 11 points 3 days ago (1 children)

Yeah that one is used, you should change it

[–] masta_chief@sh.itjust.works 21 points 3 days ago (1 children)

I just see *******

[–] zr0@lemmy.dbzer0.com 2 points 3 days ago

Oh lol that one is old

[–] Vupware@lemmy.zip 1 points 3 days ago (1 children)

Password123!

[–] TehBamski@lemmy.world 1 points 2 days ago

FYI: Password123! was used by 293,751

[–] FiskFisk33@startrek.website 22 points 3 days ago* (last edited 3 days ago) (3 children)

very sane reaction.

I have to say though, haveibeenpwned is very well regarded in the industry, and is run by a well known security expert. A leak from there would be quite the blow to his reputation.

https://en.wikipedia.org/wiki/Have_I_Been_Pwned

That said, while I happily give them my email-addresses, I have never given them my password.

[–] nogooduser@lemmy.world 12 points 3 days ago (1 children)

A leak from there would be quite the blow to his reputation.

I’m not so sure that it would be a huge blow. He’s only human and everyone is susceptible to the odd mistake.

He did get phished last year and blogged about it after it happened which is the transparent approach that security experts say is the correct response. I’m pleased that he followed the advice that he gives to be honest and don’t think any less of him for suffering a breach.

https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/

[–] FiskFisk33@startrek.website 5 points 3 days ago

Fair, I misstated that. A deliberate leak from there would be quite the blow to his reputation.

[–] thejml@sh.itjust.works 2 points 3 days ago (2 children)

All it takes is a malicious actor to MITM or a compromised codebase or any other malicious things to slip in something and its also pwned.

I've seen too many widely recognized and supposedly secure things fail, to trust this with my passwords.

[–] FiskFisk33@startrek.website 4 points 3 days ago* (last edited 3 days ago)

I'd argue though, if you use a single password for everything, its probably more secure to add it here to at least get an indication when it's breached. Your surface in that case is already so large that the difference is negligible compared to the gained warning.

That said, don't reuse passwords!

[–] Tetsuo@jlai.lu 1 points 3 days ago* (last edited 3 days ago)

I suppose they use JavaScript to hash your password locally so all haveibeenpwned has is your hash.

It's certainly not full proof but it means a simple MITM attack wouldn't be that bad.

The risk would be that the JavaScript in question would be compromised for the whole service. Also if the machine of the user is already compromised well I would argue that password is already useless anyway. If someone has a keylogger on your system, ihavebeenpwnd would be the least of your concern.

So it's never foolproof but some risk can be mitigated.

Hashes are a powerful tool enabling easy check of leaks without exposing directly any user password.

Edit: Hmm there is much better explanations than mine on hashes on here, probably disregard the above comment.

[–] NachBarcelona@piefed.social -2 points 3 days ago (1 children)

very sane reaction

I hope for humanity's sake that you're joking.

[–] homoludens@feddit.org 2 points 3 days ago (2 children)

Why?

[–] THE_GR8_MIKE@lemmy.world 1 points 3 days ago

Same person said that to me too and refuses to elaborate. Really strengthens their argument.

[–] NachBarcelona@piefed.social 1 points 3 days ago (1 children)

Because using a reputable k-anonymity service is as risky as throwing apple peels in the trash. Or just looking at an apple.

[–] FiskFisk33@startrek.website 2 points 2 days ago

I'd argue it's generally a very sane reaction to instinctively say no when some service you don't know about wants your password.

The commentor you replied to obviously didn't know about the pedigree of haveibeenpwned beforehand

[–] AnyOldName3@lemmy.world 4 points 3 days ago

It makes a cryptographically-secure hash of the password you enter, then truncates that before sending it to the server so the only information they get would be in common with a huge number of other passwords. They then send back the leaked passwords with the same truncated hash, and your computer checks to see if what you've entered matches anything on the list. It's not practical to send the whole list for every query as there's just too much data, but if you don't trust their site, you can just download the whole list and check against it yourself.

[–] HubertManne@piefed.social 3 points 3 days ago (5 children)

Yeah its fine to look through a list but not going to put in my stuff.

[–] NachBarcelona@piefed.social -2 points 3 days ago

My god you people 😂😂😂

load more comments (4 replies)
[–] hansolo@lemmy.today 1 points 3 days ago (1 children)

Use a different VPN server and private mode on each. Easy.

[–] NachBarcelona@piefed.social -1 points 3 days ago (2 children)

You think people that tech illiterate have any idea how to use a VPN?

[–] yermaw@sh.itjust.works 1 points 3 days ago

I know how to use one. Ive got no idea how to verify that its trustworthy.

[–] hansolo@lemmy.today 0 points 3 days ago

Sadly, I know they usually don't.

load more comments (3 replies)
[–] Reygle@lemmy.world 3 points 2 days ago

They're missing a real opportunity here- when someone enters the "password" 12345, which 31,033,620 times by the way, their page should immediately display this

[–] pageflight@piefed.social 9 points 2 days ago* (last edited 2 days ago) (1 children)

1234: 30,272,674 times

/headdesk

[–] TehBamski@lemmy.world 5 points 2 days ago

I felt about the same way when I tested for that. hahaha.

Try some keyboard walking combos. You'll start see why so many people in I.T. are bald at early ages, starting to have grey hair before they hit 50, etc. lol

Examples: qwer ., asdf , zxcv , qweasdzxc

[–] The_Picard_Maneuver@piefed.world 18 points 3 days ago

PicardIsSexy - 0 times (!The_Picard_Maneuver@piefed.world you're safe. ;)

That was a close one!

[–] hansolo@lemmy.today 12 points 3 days ago* (last edited 3 days ago)

For anyone reasonably concerned about the obvious boneheaded move of checking your email and then entering your password, here's some options:

  • Don't check them at the same time or on the same device. Use wifi and a laptop to check your email. 20 minutes later on your phone and 5G, check your password. Two different IP addresses and browser fingerprints.

  • Use Tor

  • Change VPN locations and browsers on the same device.

  • Don't just check your password and close the page. Check 10 made up BS passwords and throw yours in the middle.

This is all on top of the fact that HaveIBeenPwned has been a beacon of sanity for more then a decade. Troy Hunt remains huge in the cybersecurity research space, and diligently combs over data leaks. This site was one of Gizmodo's 100 sites that shaped the internet in 2018, and remains the most accessible database of leaked credentials there is, without actually giving away the credentials.

Now go check yourself before someone else wrecks yourself.

[–] northernlights@lemmy.today 4 points 3 days ago

TIL that besides offering a password compromise checking service, they also offer a compromised email checking service!

[–] LordKitsuna@lemmy.world 3 points 3 days ago

This functionality is built-in to bitwarden, they can safely check your entire vault for known breaches

[–] Nioxic@lemmy.dbzer0.com 3 points 3 days ago

I dont think its a good idea to give them your password

load more comments
view more: next ›