STOP
STOLEN
PASSWORDS
A cybersecurity initiative to make stolen passwords useless
25+ billion stolen passwords are being used right now to break into accounts. We're working to make every website check if passwords have been stolen before accepting them.
THE SOLUTION
Every website should check if passwords have been stolen before accepting them.
The technology exists. We just need to make it standard practice everywhere.
NIST Recommendation:
When processing a request to establish or change a password, verifiers SHALL compare the password against a blocklist of commonly used, expected, or compromised passwords. If the chosen password is found, the user must select a different one and be told why it was rejected.— NIST Digital Identity Guidelines (SP 800-63B)
THE PROBLEM
Millions of accounts are compromised daily using passwords that were already stolen.
Over 25 billion passwords have been stolen from companies like Facebook, LinkedIn, and Yahoo. That's more than 3 passwords for every person on Earth.
Most websites don't check if passwords have been stolen before accepting them. They're literally allowing passwords they know are compromised.
SUPPORT THE INITIATIVE
Add your voice to make password breach checking standard practice everywhere.
Join individuals, companies, and developers who believe stolen passwords should never work.