Real-time Password Blacklist


Prevent bad passwords before they happen!

( No Credit Card Required )

The service is easy to implement with a wizard-based Easy Install for Windows, a one-page Quick Start Guide and understandable API documentation

  • Password Firewall for Windows v5.0 Now Available - The latest release of Password Firewall for Windows is available for download.  It builds upon previous versions, and adds a new (optional) feature called DoubleCheck that will re-query the blacklists after dropping common characters from a chosen password.  This combats a common tactic of simply adding a number at the end of a bad/previous password.  Visit the downloads page to get it and the latest documentation.  We are hard at work on v5.1 and expect it to be released soon.
  • International Payment Processor Change - We have moved to Stripe for processing International (non-USD) payments and PayPal has been retired.  If you were using PayPal, you will still be able to pay your invoice with your non-US credit card, but now Stripe will process the payment.
  • API v2.2 Released, adds option for querying Custom Blacklist only - We have updated our API to version 2.2 and added a requested feature - the ability to only query a Custom Blacklist, but not the Password RBL maintained blacklist.  The default behavior of querying both blacklists simultaneously remains the same.  Interested?  Read all about this new feature in our API Guide.
  • Check service status - You can always view the status of the Password RBL service using our status page or directly via:
  • Referral Program - Know someone who could benefit from better passwords?.. we bet you do!  Refer them to Password RBL and we'll give you both a free month (or a $100 credit, whichever is less).  And there's no limit to the number of referral bonuses you can get! Additional details here.
  • Just a note regarding transport security - We just want to let you know that all connections to our API server are secured with modern protocols and ciphers.  Our API only allows TLS connections, so no need to worry about the recent SSL vulnerabilities.  Read More

Announcements About the Service

There are millions of passwords that meet company password policies, but are bad choices because hackers know these common passwords, too.  They have databases filled with these bad passwords and actively use them to break into business networks across the globe.

It has become very common to hear about data breaches or leak of customer data at large companies that lead to millions of leaked credentials or identity data points, but data breaches happen at smaller businesses even more often.

Password RBL was created to give businesses of all sizes a simple and effective way to fight back against these attacks.

WhY use Password RBL

Password RBL is a password blacklist for Active Directory, web sites or apps that keeps the bad, guessable passwords from being used on your network.  Eliminating these bad passwords is a great step towards securing your business systems and data.  You can easily add Password RBL password blacklisting to your Active Directory using Password Firewall for Windows, or implement the API from your website or app.

Your business and proprietary data need protection from unauthorized access.  Subscribing to the Password RBL service is an easy and effective way to protect your Active Directory, web sites, apps.  It's easy to implement and inexpensive, too!

What is password rbl

One subscription covers access to the API. You choose if you want to protect Active Directory, your site, your app or all of them!.



All the passwords in our system have been vetted by a real person.  We don't use any automated methods to build our password database.​

high quality


  • NIST Recommends Password Blacklisting - The National Institute for Standards and Technology has released an update for their Digital Authentication Guidelines in NIST Special Publication 800-63-3.  They are now recommend that organizations employ a Password Blacklist to prevent the use of known bad choices.  Password RBL is exactly what you need - a curated list of all these known bad passwords - and it's simple to deploy and use.  Learn more here.

  • Github, GotoMyPC, latest sites hit with password attacks following huge credential breach - Since the recent for-sale posting of credential databases for LinkedIn, Tumblr, MySpace and more, many websites are seeing an increase in password attacks using the information gained from these credential databases.  Password RBL can help prevent attacks exactly like this.

  • The LowLevel04 RansomWare Spreads by Exploiting Weak Passwords- Ransomware is a big problem for businesses- it encrypts your data files until you pay a "ransom" costing thousands in bitcoin and lost productivity.  This specific variant, dubbed LowLevel04, spreads by brute-forcing weak passwords via Microsoft Remote Desktop / Terminal Services connections.  Many businesses use Remote Desktop for remote employee access to corporate resources.  Yet another reason to use Password Firewall for Windows!

  • Starbucks Hacked? No, But You May Be- The Starbucks online account system was not hacked or breached.  Instead, hackers used known bad passwords to gain unauthorized access to individual customer accounts.  This allowed the hackers to drain the individuals' accounts as well as transfer in more money from their linked bank account and order themselves Starbucks gift cards (likely to be resold online).  If Starbucks subscribed to Password RBL and enforced the use of strong passwords, this attack could have been thwarted.

  • Redirect-to-SMB Vulnerability Exposes User Passwords- This bug reported is a new take on an issue discovered in 1997 and garnered alot of attention at DEFCON 24. All versions of Windows and many common applications are vulnerable.  This vulnerability works by using a standard HTTP redirect, but the victim is redirected to a malicious SMB server.  Since Windows automatically attempts authentication by design, it sends the victim's hashed credentials to the SMB server.  If the victim's password is simplistic or common, then it's easily cracked.  Subscribe today and prevent bad passwords before they happen!

Password Security In The News

We use only industry standard algorithms & have a zero-logging policy.  Our double-blind hashed password submission is also protected by TLS.

layers of



one-Page Guide