HIBP (Have I Been Pwned)
HIBP checks if your password appears in known data breaches. If a
password is found in the database, it's considered compromised and
should not be used. This service uses k-anonymity to ensure your
password is never sent in full during the check.
Industry Password Blacklists
Password blacklists help prevent the use of commonly known weak
passwords. Industry best practices recommend blocking:
- Dictionary words
- Company-specific terms
- Context-specific phrases
- Previously breached passwords
NIST Password Guidelines (SP 800-63B)
Current NIST recommendations include:
-
Minimum 8 characters (recommended 15+ for critical systems)
- Maximum 64 characters
- Allow all ASCII and Unicode characters
- No password hints
- No periodic password changes unless compromised
- Check against compromised password lists