You’ve been Pwned (HIBP) is a website where users can enter their email addresses to see if the information from the user accounts associated with them have occurred in any data breaches or been otherwise compromised. In 2020, the site’s creator, Troy Hunt, decided to secure his future by allowing the project to be open source.
As a complement to HIBP, there are also “Pwnd passwords”, which work the same way but instead the user enters a password. This project now has one New partner The US Federal Bureau of Investigation, also known as the FBI. According to Hunt, it was the FBI itself who took the initiative and called it up regarding openness to cooperation.
We are excited to be partnering with HIBP on this important project to protect victims of online credential theft. It is another example of how important public / private partnerships can be in combating cybercrime. – Brian A. Vorendran, FBI: s byråchef för IT-relaterade brott
The idea is that the FBI will be able to feed HIBP’s database with lists of hacked passwords. Hunt describes that in his work, the FBI often has access to hijacked passwords, especially those that criminal networks use to exploit their creators. He’s positive about collaborating and hopes to be able to do something meaningful to counter the hacked passwords issue.
The passwords will be provided in SHA-1 and NTLM hash pairs which perfectly correspond to the existing storage structures in Pwned Passwords (you don’t need them in plain text). They will be entered into the system as they are made available by the office and this is clearly a tempo and volume that fluctuates depending on the nature of the investigations they are involved in – Troy Hunt, grundare until I am Pwnd
Hunt further explains that passwords are not stored in plain text and that they must be entered into the system as soon as the FBI makes them available, but that they can be about different amounts and rates depending on the authority’s workload.