Popular data breach website, Have I Been Pwned, is going open source via the .Net Foundation, owner Troy Hunt announced on Friday. Hunt also revealed details about a collaboration between the FBI and HIBP.
The announcement came at a time when HIBP sees significant growth. The site hit 926.92 million requests last month, inching ever closer to the billion mark, as stated by Troy in a tweet on Thursday.
Going open-source with .NET
The announcement to make the site open source had already come from Troy in August 2020. After his initial announcement, Claire Novotny, executive director of the .NET Foundation — independent 501(c) non-profit organisation — reached out to him and offered support.
According to Troy, HIBP’s existing dependency on the Microsoft stack makes the framework a ‘perfect fit’. Its use of a simple codebase, own domain, Cloudflare account and Azure services all combine to make the entire process easier. The fact that the data that drives HIBP is already available in the public domain simply adds up to the convenience.
Speaking of natural fits, Pwned Passwords is perfect for this model, and that’s why we’re starting here. There are a number of reasons for this:
1. It’s a very simple codebase consisting of Azure Storage, a single Azure Function and a Cloudflare worker.
2. It has its own domain, Cloudflare account and Azure services, so it can easily be picked up and open-sourced independently to the rest of HIBP.
3. It’s entirely non-commercial without any API costs or Enterprise services like other parts of HIBP (I want community efforts to remain in the community).
4. The data that drives Pwned Passwords is already freely available in the public domain via the downloadable hash sets.Verbatim via Troy Hunt: Pwned Passwords, Open Source in the .NET Foundation and Working with the FBI
Troy hopes that this will ultimately bring wider adoption of the service due to both the transparency that comes with making the codebase open source and the fact that people make have their own instances of the service, giving them fallback options.
FBI to feed passwords into HIBP
It’s no surprise that the FBI is involved in numerous digital investigations, regularly coming across compromised passwords used by criminals. According to Troy, the FBI reached out to him looking for a way to get these passwords on HIBP and getting them out in the public domain.
According to Bryan A. Vorndran, Assistant Director of the Cyber Division at FBI, “We are excited to be partnering with HIBP on this important project to protect victims of online credential theft. It is another example of how important public/private partnerships are in the fight against cybercrime.”
The passwords will be fed into the HIBP system and made available by the bureau. Obviously, the volume and frequency of this will largely depend on the currently ongoing cyber investigations. The data provided will be in SHA-1 and NTLM hash pairs which, according to Troy,” aligns perfectly to the current storage constructs in Pwned Passwords”.