FBI’s cyber division personnel in front of a computer screen. (FBI)
The breach aggregator Have I Been Pwned, one of the most popular tools to test the real-world strength of passwords, made two significant announcements on Friday: A collaboration with the FBI to obtain new, hacked passwords, and contributing some of its code-base to the open-source community.
Have I Been Pwned has two main features. The first, and the site’s namesake, allows people to check if their login information is included in breached data archives circling the dark web. But a second feature allows users to check how often a given password has been found in the dataset – testing the strength of a password against dictionary-style brute force attacks. The later feature, “Pwned Passwords,” will be at the center of both the FBI’s involvement with the site and with the open-source initiative.
“Through various public engagement tools and resources, we aim to assist the public to better protect themselves in the current cyber environment The FBI is excited to be partnering with HIBP on this important initiative to protect victims of online credential theft,” the FBI told SC Media via email. “By proactively providing HIBP with hashed passwords from breached data sets, the FBI is strategically empowering victims of cybercrime to more readily identify compromises of their accounts.”
The FBI will provide breached SHA-1 and NTLM-hashed passwords to Have I Been Pwned when they are discovered during investigations. Troy Hunt, founder of Have I Been Pwned, reached out to coders on his blog to help design intake software for the data via the Have I Been Pwned GitHub.
Alongside the FBI announcement, Have I Been Pwned will offer the Pwned Passwords code as an open-source project to be administered by the .NET Foundation
“My hope is that this encourages greater adoption of the service both due to the transparency that opening the code base brings with it and the confidence that people can always ‘roll their own’ if they choose,” wrote Hunt on his blog. “Maybe they don’t want the hosted API dependency, maybe they just want a fallback position should I ever meet an early demise in an unfortunate jet ski accident.”
The dataset behind Pwned Passwords is already freely available via the API.
Pwned Passwords is more than a tool for those in the know or a novelty on a website. The service is integrated into the password manager 1Password.
A consistent feed from the FBI could greatly benefit organizations that often struggle with security, said Kiersten Todt, managing director of the small and medium-sized business advocacy group the Cyber Readiness Institute.
“This forward-leaning public/private collaboration regarding online credential theft will be a critical tool to help small businesses be more resilient by helping them ensure safe and secure authentication,” she said.