The maker of Have I Been Pwned, Troy Hunt, has given exclusive access to the US FBI for uploading hashed passwords they’ve got in their investigations to the Pwned Passwords. It’s a dedicated section in the Have I Been Pwned website that lets people know if their passwords (strings) have ever been leaked online. Alongside, Hunt has made the code of Have I Been Pwnd open-source the same day.
Open-sourcing Have I Been Pwned and Access to FBI
The site Have I Been Pwned is an indexer of compromised passwords from several data breaches and lets people check if their password was compromised or not. This requires the person to enter either their email address or name or a username to check. Checking with email addresses is suggested since not all data breaches have usernames and names included in them.
While this has been significantly helpful to millions, the HIBP has a separate section called Pwned Passwords, which includes over 613 million passwords aggregated from various breaches. This will let users search if their password was compromised or not by entering the exact password phrase (string). As this is a more filtered search, several organizations worldwide use it to check their workers’ account integrity.
The US FBI has given a direct line for Pwned Passwords to feed any of the password lists they obtain in their investigations. This shall help more users know the impact quickly, instead of going through Troy Hunt, the sole maintainer of the HIBP site. Last month, the FBI gave access to feed the stolen passwords from the Emotet botnet, which was successfully taken down in phases.
Troy Hunt has made the source code of Have I Been Pwned open source alongside the exclusive access. This happens to be a coincidence with the FBI access, and he said that the code of the main HIBP site would soon be open-sourced.