Have I Been Pwned goes open source.
The FBI will soon start to share compromised passwords that were discovered during law enforcement investigations with the Have I Been Pwned’s ‘Password Pwned’ service.
The Have I Been Pwned data breach notification site provides a service called Pwned Passwords that lets the users search for known compromised passwords.
By using this service, it is possible for an user to input a password and see how many times that password has been found in a breach. For example, if we enter the password ‘password,’ the service states that it has been seen 3,861,493 times in data breaches.
Now, the creator of Have I Been Pwned, Troy Hunt announced that the FBI would soon be providing compromised passwords that were found during law enforcement investigations into the Pwned Password service.
By providing this feed, the FBI will allow administrators and users to check for passwords that are known to be used for malicious purposes. Admins can then change the passwords before they are used in credential stuffing attacks and network breaches.
Bryan A. Vorndran, Assistant Director, Cyber Division, FBI stated that they are excited to be partnering with HIBP on this important project to protect victims of online credential theft. He added that it is another example of how important public/private partnerships are in the fight against cybercrime.
The FBI will share the passwords as SHA-1 and NTLM hash pairs that can then be searched using the service or downloaded as part of Pwned Password’s offline list of passwords.
The users can download the compromised passwords as lists of SHA-1 or NTLM hashed passwords that can be used offline by Windows administrators to check if they are being used on their network.
It is possible to download these lists with the hashes sorted alphabetically or by their prevalence.
In order to facilitate this new partnership, Hunt has made Password Pwned open source via the .NET Foundation and is asking other developers to help create a ‘Password Ingestion’ API.
The FBI and other law enforcement agencies can use this API to feed compromised passwords into the Password Pwned database.