
1.4B password breach compilation wordlist - dredmorbius
https://gist.github.com/scottlinux/9a3b11257ac575e4f71de811322ce6b3
======
dredmorbius
There is one valid rule for testing for bad passwords: IS IT KNOWN?

The combination of characters, length, or rotation mean nothing if a password
is on a known list. It should be absolutely mandatory for all password-
authenticated service providers to test against such lists when accounts and
passwords are registered.

You should be talking to your bank, other financial institution(s), ISP or
broadband providers, online services (Facebook, Google, Twitter, etc.),
governmental offices, and asking them, pointedly, whether they are doing this,
and if not, why not.

You should be contacting your legislative representation at city, regional,
state, and national levels and requesting that such procedures be adopted into
statutes and regulations.

And yes, there are space-efficient ways of checking for matches, look up Bloom
Filters:
[https://en.wikipedia.org/wiki/Bloom_filter](https://en.wikipedia.org/wiki/Bloom_filter)

I have been fighting this particular fight, inside and outside tech and
service companies, for the past two decades. I've mostly lost. I'm getting
tired of losing.

Note that the link is to the project page and not directly to the full list,
though that's reachable from the page.

------
dredmorbius
NB: Troy Hunt largely dismisses this disclosure as old and existing passwords,
99.6% included in his own HaveIBeenPwned collection, based on a sampling of
1,000 entries.

