The FBI will share compromised passwords that were discovered during investigations with the ‘Pwned Passwords‘ service implemented by the data breach notification site Have I Been Pwned (HIBP).
The Pwned Passwords service allows users to search for known compromised passwords and discover how many times they have been found in past data breaches.
“And so, the FBI reached out and we began a discussion about what it might look like to provide them with an avenue to feed compromised passwords into HIBP and surface them via the Pwned Passwords feature. Their goal here is perfectly aligned with mine and, I dare say, with the goals of most people reading this: to protect people from account takeovers by proactively warning them when their password has been compromised.” reads the post published by Hunt. “Feeding these passwords into HIBP gives the FBI the opportunity to do this almost 1 billion times every month. It’s good leverage.”
According to Hunt, the FBI will feed the compromised passwords into the Pwned Password service.
“We are excited to be partnering with HIBP on this important project to protect victims of online credential theft. It is another example of how important public/private partnerships are in the fight against cybercrime,” – Bryan A. Vorndran, Assistant Director, Cyber Division, FBI.
The FBI will provide the passwords as SHA-1 and NTLM hash pairs which is the format used by the Pwned Passwords service.
Hunt also announced that he is opening the source code for the Pwned Passwords via the .NET Foundation and is requesting the community of developers to contribute by creating a ‘Password Ingestion’ API that could be used by by law enforcement agencies to feed the passwords they discovered during their investigation.
“The .NET Foundation folks have helped me out with the former and the Cloudflare folks with the latter. They’ll continue to help supporting as community contributions come in and as the project evolves to achieve the objectives above re supporting the FBI with their goals. Running an open source project is all new for me and I’m enormously appreciative of the contributions already made by those mentioned above.” concludes Hunt “Bear with me as a I navigate my own way through this process and a massive thanks in advance for all those who decide to contribute and support this initiative in the future.”
(SecurityAffairs – hacking, HIBP)