Pwned Passwords, Now As NTLM Hashes!

Presently sponsored by: How fast can you update your security after an algorithm is compromised? Improve crypto agility with tips from DigiCert’s CTO

I’m still pretty amazed at how much traction Pwned Passwords has gotten this year. A few months ago, I wrote about Pwned Passwords in Practice which demonstrates a whole heap of great use cases where they’ve been used in registration, password reset and login flows. Since that time, another big name has come on board too:

Pwned Passwords, Now As NTLM Hashes!

I love that a service I use every day has taken something I’ve built and is doing awesome things with it! GitHub has actually downloaded the entire 517M set of passwords rather than hitting the API like many other users, and that’s just fine. In fact, I’ve had a heap of requests for more downloadable data, namely password hashes in NTLM format.

If you’re not familiar with NTLM hashes then this probably won’t be of much use to you anyway, but if you are and you’re working in a Windows environment and are responsible for Active Directory, this may well be kinda handy. Because NTLM hashes aren’t salted (do read the two answers answers there if you’re wondering why), providing them in downloadable form means they can easily be used to compare to hashes within an AD environment just as they are. I asked one of the folks who requested this to put together a little script that actually makes them usable and he’s subsequently published that on GitHub. I’m sure other people will create other great things as well and if you do, please share them in the comments below.

The entire 517M NTLM passwords are downloadable either as a torrent or courtesy of Cloudflare aggressively caching them:

Pwned Passwords, Now As NTLM Hashes!

Leave a Reply