The FBI is planning to share compromised passwords with Have I Been Pwned data breach notification site after discovering them in breaches.
Have I Been Pwned site has a feature called Pwned Passwords that allows users to search for known passwords that were compromised elsewhere.
This service is free and it also lets visitors see how many times their passwords have been found in a breach. For example, the password “password” has been found 3,861,493 times in data breaches at the time of writing.
Troy Hunt, the creator of the Have I Been Pwned service, announced today that the FBI would be feeding his database with compromised passwords discovered in various investigations.
Thanks to the FBI’s feed, more users and administrators will be able to check if their passwords are being used for malicious purposes.
The FBI and HIBP said their partnership will help protect victims from cybercrime:
“We are excited to be partnering with HIBP on this important project to protect victims of online credential theft. It is another example of how important public/private partnerships are in the fight against cybercrime,” said Bryan A. Vorndran, Assistant Director, Cyber Division, FBI.
The FBI will share the passwords with Pwned Password as SHA-1 and NTLM hashes. The site user can then search online in the database or download them as an offline password list using Password Pwned. The HIBP’s feature lets Windows administrators to download the passwords so that they can check if they are used in their networks by malicious actors.
The hashes are sorted alphabetically or by their prevalence. For example, the NTLM hash ’32ED87BDB5FDC5E9CBA88547376818D4′ is used over 24 million times., as this NTLM hash is for the password “123456.”
Hunt also announced that he has made his project open-source via the .NET Foundation. He is asking other developers to create an “Password Ingestion” API that will allow law enforcement agencies to easily feed compromised passwords into the database.
Image: troyhunt.com