Nearly a year ago, the data breach tracking platform Have I Been Pwned (HIBP) announced plans to become an open source project. The first step in that transition is now complete—HIBP’s Pwned Passwords code is open source and available on GitHub. The change provides transparency for HIBP, and oddly enough, opens the door to contributions from the FBI.
Have I Been Pwned keeps track of data breaches and collects stolen data, allowing people to check if their email addresses or passwords have been compromised. Now that HIBP is open-sourcing its Pwned Passwords code, it can accept contributions from the FBI and other organizations that may have insight into data breaches and cybercriminal activity.
In other words, the FBI isn’t meddling with HIBP’s code. It’s just giving data to HIBP in the form of secure SHA-1 and NTLM hash pairs (not plaintext). Bryan A. Vorndran, Assistant Director of the Bureau’s Cyber Division, states that the FBI is “excited to be partnering with HIBP on this important project to protect victims of online credential theft.”
I’m very happy to announce that @haveibeenpwned’s Pwned Passwords is now open source under the @dotnetfdn. Now we’ve got some work to do: building an ingestion pipeline for new passwords provided by the @FBI on an ongoing basis. This is super cool 😎 https://t.co/iM17zemmwE
— Troy Hunt (@troyhunt) May 27, 2021
But why start with the Pwned Passwords code? According to HIBP founder Troy Hunt, open-sourcing Pwned Passwords was just the easiest place to start. Pwned Passwords is basically independent from the rest of HIBP with its own domain, CloudFlare account, and Azure services. Plus, it’s non-commercial, and its data is already available to the public in downloadable hash sets.
Hunt hopes that open-sourcing Pwned Passwords will provide greater transparency for the HIBP service and allow people to wrap their own Pwned Passwords tools. It’s a big change from 2019, when Hunt considered selling HIBP.
You can find the Pwned Passwords code on GitHub licensed under the BSD-3 Clause. The open-sourcing process is still ongoing, and Hunt is asking people in the open source community to help HIBP develop an ingestion pipeline for contributors like the FBI.
Source: Have I Been Pwned via ZDNet