Compromised credentials pose severe security threats to both organizations and individuals. Attackers often leverage stolen/leaked passwords in brute force attacks to compromise user accounts. Most victims use the data breach search website Have I Been Pwned? (HIBP) to check whether their email ID or phone number has been compromised in any data breach. Created by web security consultant Troy Hunt, HIBP indexes all the data breaches – the largest and the most recent – once a user enters the required details.
Recently, Troy Hunt announced that HIBP now allows the FBI to upload new content into its database. With this, the FBI can feed compromised passwords, which are found during law enforcement investigations, into the section, Pwned Password. The passwords will be provided in SHA-1 and NTLM hash pairs.
“The FBI play integral roles in combatting everything from ransomware to child abuse to terrorism and in the course of their investigations, they regularly come across compromised passwords. Often, these passwords are being used by criminal enterprises to exploit the online assets of the people who created them. Wouldn’t it be great if we could do something meaningful to combat that?” Hunt said.
I’m very happy to announce that @haveibeenpwned’s Pwned Passwords is now open source under the @dotnetfdn. Now we’ve got some work to do: building an ingestion pipeline for new passwords provided by the @FBI on an ongoing basis. This is super cool 😎 https://t.co/iM17zemmwE
— Troy Hunt (@troyhunt) May 27, 2021
Hunt stated the latest alliance removes a huge barrier for many organizations considering using Pwned Passwords.
“We are excited to be partnering with HIBP on this important project to protect victims of online credential theft. It is another example of how important public/private partnerships are in the fight against cybercrime,” said Bryan A. Vorndran, Assistant Director, Cyber Division, FBI.
HIBP Goes Open Source
Hunt also made Password Pwned open source via the .NET Foundation to accelerate the new partnership with the FBI. The company also asked developers to help create a Password Ingestion API to help the FBI and other law enforcement agencies feed compromised passwords into the Password Pwned database.
“The .NET Foundation folks have helped me out with the former and the Cloudflare folks with the latter. They’ll continue to help to support as community contributions come in and as the project evolves to achieve the objectives above re-supporting the FBI with their goals. Running an open source project is all new for me and I’m enormously appreciative of the contributions already made by those mentioned above. Bear with me as I navigate my own way through this process and a massive thanks in advance for all those who decide to contribute and support this initiative in the future,” Hunt added.