NTLM to plaintext password lookup

Should you even use this service?

Please read everything below, and make your own judgement while also remembering that unintended consequences are outcomes of a purposeful action that are not intended or foreseen. Imagine this ...
You're standing in front of your locked front door. You don't want anyone to break in, and you got the UltraSecure lock on it - so for your door there exists 2^128 possible keys. If you try a wrong key 3 times the door will not unlock even with the right key. Cool door!
You have lost your primary key, but you have a few dozen keys in your drawer - unfortunately they're all unmarked - but you remember that the one to your door said "Frontdoor123". So worrisome, what to do?
You can call the keymaster anonymously (1-800-KEYMSTR) and ask him whether he remembers ever seeing a given key and what was written on it! He will then tell you what was written on it IF it was readable (some keys are incomprehensible, he doesn't know about those).
The keymaster hasn't seen all keys that exist, and he might have seen some fake keys in another keymasters workshop. But he has other things to do than chatting with you on the phone service, so you can only ask him about a limited amount of keys at a time, then you have to wait a little and call again. The next time someone asks him about a key, he might answer that he knows about it, because you asked him about it - but he's old, and can't remember if it was a key he made, a fake one or one someone else asked him about.
Does asking him about your keys in the drawer undermine the security of your front door, given that the keymaster doesn't remember who you are and he already knows about 8.7B real/fake keys? That decision is yours.

How plaintext lookups work

The intention with this site is to help you get rid of easy to crack passwords. We have a huge collection of easy to break passwords that are looked up with a one-way hashed version of the password.
Plaintext lookups work like this: when you submit a plaintext password, it is hashed as a NT hash, and then looked up just like if it originally arrived as just a NT hash. If the hashed version of your password matches one in our database, we tell you that password was found.

Life is not an adventure though

Back in the real world, where ntlm.pw exists we're kind of like the keymaster. There is no sign up, we don't know who uses it, and we don't want to either. You can use your real IP-address, hide behind Tor, use a VPN service or a free airport Wifi. The site does not use cookies, no tracking javascript and does not require you to sign up to use the free lookup service. We don't know if the hashes that are submitted are real ones or fake ones. They're just hashes.
If you submit a hash to the site, you must:
  • Have legal permission to do so
  • Feel comfortable that it will not compromise the security of the people you're trying to help
  • There are already more passwords in the database than there are people on this planet, and the idea with this site is simply to give access to an easy way for you to get rid of the worst ones in your system. If you're not comfortable with using this service, don't do it. There are alternatives, and I can highly recommmend using Hashcat with a powerful GPU locally on your own systems as an alternative.
    Hashes are passwords, and when you submit a hash to this site, you're effectively telling us a password - even if we don't have it in our database. Submitted hashes can potentially be cracked, and while the vast majority aren't really traceable to anyone, a few of them might be (using an email address as the password for instance).

    What happens to my hashes?

    Found hashes are stored in a temporary cache in order to speed up lookups, but negative lookups are not stored.
    The server stores regular nginx access and error logs. If you're using GET requests, the full URL goes into the logs. Using POST requests just stores the IP and the request, but not the contents of the request.
    The site collected hashes from launch December 7th 2023 until April 6th 2024. These hashes will be used for password pattern research internally, but will not be added to the site.

    Hugs and hashes to everyone!

    Database has 8.710.349.868 unique hashes. Quota 10000 points, resets in 900 seconds.
    hash lookup - plaintext lookup - read before using - about - docs (API) - lamers
    Took 0.21ms