"A list of passwords commonly used on other websites"

[ohreally]

Select Topic Area

Question

Body

Hi,

Github says that my password is in "a list of passwords commonly used on other websites".
I've checked all the publicly available lists that I could find, and none of them gave a hit on my Github password. And I know that my password is unique, and very random.
So I'd like to know which list Github is using, so that I can check my other passwords as well.

Thanks in advance,
Rob

[jorritvanderheide]

As mentioned in this article (wayback machine because it doesn't exist anymore):

The check compares a one-way hash of that password against our internal database of credentials known to be compromised by breaches of other websites or services.

In other words, it looks up the hashed password, not the password itself, which might be why you didn't find it anyhere. As for what list is used, this reply by a GitHub employee says:

GitHub uses both open and private paid sources of breach data in order to protect customer accounts. We don’t typically name our vendors and in some cases we are actually precluded from doing so by contract.

In other words, this is not one list, but many, and it is and will not become public knowledge.