2 min read


An API to protect your users from using bad passwords

During the last few weeks we’ve been working along with our friends at DogTown Media on an open API that anybody can use in their Sign Up forms to check against passwords that have been breached in the past + dictionary words and commonly used sequences of characters like 1234abcd and similar.


Head over to https://nist.badpasswordcheck.com/ and start using the API :)

What we built

The biggest corpus was taken from the awesome 9GB (compressed) file from Have I Been Pwned website. We basically took that huge file, uncompress it (~30GB csv) and parsed it to create a database that we could expose through an HTTP API.

The goal of the project was to allow developers to build more secure authentication processes by following the guidelines provided by NIST on the NIST Special Publication 800–63–3: Digital Authentication Guidelines. And the result was a very simple HTTP API where you can send a SHA-1 encoded password and get an answer saying if the password was found on our database or not.

We look forward to see this API being tested by developers all over the world. All you need is a Github account in order to get an API token to start using it. For more information head https://nist.badpasswordcheck.com/ and if there are issues feel free to create one here.

**IMPORTANT: **By signing up you and your orgnization accept that this service comes with no SLA’s or liability. We’ll do our best to keep it stable, free and quick.