XposedOrNot: Check How Safe Is A Password

Check if a password has been exposed.

XoN is an aggregated repository of xposed passwords comprising of ~850 million real-time passwords. The usage of such compromised passwords is detrimental to individual account security. Please make use of XposedOrNot to check such credentials. Avoid checking current passwords in any tool ever.

Password Security Guidelines

About XposedOrNot

What is Xposed Passwords?

The main aim of this project is to give a free platform for the general public to check if their password is exposed and compromised.

This massive password collection is an accumulation of real passwords exposed in various data breaches around the world. Passwords are curated from exposed breaches like Collection #1, Yahoo, etc. Adding to that, passwords are also commonly exposed in "pastes" in pastebin.com. We have taken more than 40,000 such exposures and that is again added to this huge list.

The collated passwords are hashed with a highly secure hashing algorithm SHA-3 ( Keccak-512 ), and stored in a one way hash for verification. No passwords are stored in plain text and the process of checking anonymously is explained in detail in our blog post, 850 million passwords for free explaining the technical and operational controls enforced for enhancing the security posture. Feel free to go through the same.

FAQs »


          //Include script src as https://cdnjs.cloudflare.com/ajax/libs/js-sha3/0.7.0/sha3.js" 
JQuery(document).ready(function() {
    $("#go").click(function(abacus) {
            abacus.preventDefault();
            var pwd_hash = (keccak_512($("#passwd").val()).substring(0, 10));
            koodudal = 'https://xposedornot.com/api/v1/pass/anon/' + encodeURIComponent(pwd_hash);
            var pwd_str = document.getElementById("passwd").value;
            if (pwd_str.length != 0) {
                var xon_response = $.ajax(koodudal)
                    .done(function(n) {
                        $('#message-text').html("Oops : Password looks exposed and hence avoid using this");
                    })
            })
    }
    else {
        $('#message-text').html("Oops! Try again with a valid password. ");
        $('#password').focus();
    })
})

Demo »


//https://github.com/kornrunner/php-keccak

use kornrunner\Keccak;
Keccak::hash('', 512);
// 0eab42de4c3ceb9235fc91acffe746b29c29a8c366b7c60e4e67c466f36a4304c00fa9caf9d87976ba469bcbe06713b435f091ef2769fb160cdab33d3670680e