"A list of passwords commonly used on other websites"

[ohreally]

Select Topic Area

Question

Body

Hi,

Github says that my password is in "a list of passwords commonly used on other websites".
I've checked all the publicly available lists that I could find, and none of them gave a hit on my Github password. And I know that my password is unique, and very random.
So I'd like to know which list Github is using, so that I can check my other passwords as well.

Thanks in advance,
Rob

[jorritvanderheide]

As mentioned in this article (wayback machine because it doesn't exist anymore):

The check compares a one-way hash of that password against our internal database of credentials known to be compromised by breaches of other websites or services.

In other words, it looks up the hashed password, not the password itself, which might be why you didn't find it anyhere. As for what list is used, this reply by a GitHub employee says:

GitHub uses both open and private paid sources of breach data in order to protect customer accounts. We don’t typically name our vendors and in some cases we are actually precluded from doing so by contract.

In other words, this is not one list, but many, and it is and will not become public knowledge.

[ohreally]

Thanks for your response, Jorrit.

I know how hashes work. But since hashes are supposed to give a unique representation for a certain string, we can be quite certain that we're still talking about my password.

And if I cannot find my password in any public database, and Github wants to be all secretive about their sources, I'm just going to guess that Github had their user database compromised, and they're making up a story to avoid having to disclose the breach.