FBI partners with 'Have I Been Pwned' on breached password database

The service, which lets you check if your details have been compromised, has also been converted to open source through the .NET foundation

A shield with a keyhole on a radar system - cyber security - hacking

Have I Been Pwned (HIBP), a website that allows users to check if their email addresses and passwords have been compromised, is collaborating with the FBI on feeding masses of data on compromised credentials into the wider HIBP catalogue.

The US law enforcement agency approached HIBP, according to its founder Troy Hunt, to discuss what it might look like to build channels to provide the FBIs intelligence on compromised passwords.

This would vastly expand the database, and surface more compromised credentials with the Pwned Passwords search tool, giving more users information on whether they need to change their credentials.

"Their goal here is perfectly aligned with mine and, I dare say, with the goals of most people reading this: to protect people from account takeovers by proactively warning them when their password has been compromised," Hunt said in his blog.

"Feeding these passwords into HIBP gives the FBI the opportunity to do this almost 1 billion times every month. It's good leverage."

The FBI will provide its passwords in SHA-1 and NTLM hash pairs, which aligns perfectly with HIBP's current storage arrangements. These will be fed into the system as they're made available, with the volume fluctuating depending on the nature of the investigations they're involved in at any one time.

The key to this collaboration is ensuring there's an established ingestion route through which the data can flow and be made available to users, at pace. Critical to this endeavour is Hunt's plans to make HIBP open source, which have now been achieved.

Work to convert the HIBP code base into open source, which began in August last year, became necessary after the scale and nature of the service made it difficult to manage it as a one-man project. This is especially true given Hunt has recently taken up a position at Microsoft as its regional director and MVP.

Hunt revealed in June 2019 that he was looking for a buyer for service, with the researcher struggling to cope with an explosion in the number of data breaches at the time.

"What I didn't know is how non-trivial it would be for all sorts of reasons you can imagine and a whole heap of others that aren't immediately obvious," he explained. "One of the key reasons is that there's a heap of effort involved in picking something up that's run as a one-person pet project for years and moving it into the public domain.

Related Resource

Don’t just educate: Create cyber-safe behaviour

Designing effective security awareness and training programmes

How to define effective security awareness and training programmesDownload now

"I had no idea how to manage an open source project, establish the licencing model, coordinate where the community invests effort, take contributions, redesign the release process and all sorts of other things I'm sure I haven't even thought of yet."

To manage the open source transition, Hunt turned to the .NET Foundation, with its executive director Claire Novotny integral to the transition. Pwned Passwords, he added, is a perfect fit for the .NET Foundation model because of its reliance on the Microsoft technology stack.

For instance, it's a simple codebase consisting of Azure Storage, a single Azure Function and a Cloudflare worker. It also has its own domain, Cloudflare account, and Azure services, so can be picked up and open sourced independently of the rest of HIBP.

The nature of the search tool also means it's non-commercial, while the data that drives Pwned Passwords is already freely available in the public domain.

In order to fully realise the partnership with the FBI, Hunt claims that HIBP needs help from coders to establish that channel through which password data can be fed at pace and at volume. He's established two GitHub repositories to this end, with developers free to get involved and contribute to the system.

Featured Resources

Consumer choice and the payment experience

A software provider's guide to getting, growing, and keeping customers

Download now

Prevent fraud and phishing attacks with DMARC

How to use domain-based message authentication, reporting, and conformance for email security

Download now

Business in the new economy landscape

How we coped with 2020 and looking ahead to a brighter 2021

Download now

How to increase cyber resilience within your organisation

Cyber resilience for dummies

Download now

Recommended

ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021
Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
CISOs aren’t leading by example when it comes to cyber security
cyber security

CISOs aren’t leading by example when it comes to cyber security

24 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021

Most Popular

Best paying tech jobs of 2021
Careers & training

Best paying tech jobs of 2021

7 Jun 2021
Ten-year-old iOS 4 recreated as an iPhone app
iOS

Ten-year-old iOS 4 recreated as an iPhone app

10 Jun 2021
Mythic launches power-sipping AI chip
Hardware

Mythic launches power-sipping AI chip

8 Jun 2021