Have I Been Pwned’s Password Program Is Now Open Source, Accepting Data from FBI

Have I Been Pwned

Nearly a year ago, the data breach tracking platform Have I Been Pwned (HIBP) announced plans to become an open source project. The first step in that transition is now complete—HIBP’s Pwned Passwords code is open source and available on GitHub. The change provides transparency for HIBP, and oddly enough, opens the door to contributions from the FBI.

Have I Been Pwned keeps track of data breaches and collects stolen data, allowing people to check if their email addresses or passwords have been compromised. Now that HIBP is open-sourcing its Pwned Passwords code, it can accept contributions from the FBI and other organizations that may have insight into data breaches and cybercriminal activity.

In other words, the FBI isn’t meddling with HIBP’s code. It’s just giving data to HIBP in the form of secure SHA-1 and NTLM hash pairs (not plaintext). Bryan A. Vorndran, Assistant Director of the Bureau’s Cyber Division, states that the FBI is “excited to be partnering with HIBP on this important project to protect victims of online credential theft.”

But why start with the Pwned Passwords code? According to HIBP founder Troy Hunt, open-sourcing Pwned Passwords was just the easiest place to start. Pwned Passwords is basically independent from the rest of HIBP with its own domain, CloudFlare account, and Azure services. Plus, it’s non-commercial, and its data is already available to the public in downloadable hash sets.

Hunt hopes that open-sourcing Pwned Passwords will provide greater transparency for the HIBP service and allow people to wrap their own Pwned Passwords tools. It’s a big change from 2019, when Hunt considered selling HIBP.

You can find the Pwned Passwords code on GitHub licensed under the BSD-3 Clause. The open-sourcing process is still ongoing, and Hunt is asking people in the open source community to help HIBP develop an ingestion pipeline for contributors like the FBI.

Source: Have I Been Pwned via ZDNet

Andrew Heinzman Andrew Heinzman
Andrew is a writer for Review Geek and its sister site, How-To Geek. Like a jack-of-all-trades, he handles the writing and image editing for a mess of tech news articles, daily deals, product reviews, and complicated explainers. Read Full Bio »

The above article may contain affiliate links, which help support Review Geek.