Have I Been Pwned has become the reference website to find out if a password has been hacked or, more recently, our phone number. The portal already has almost 11.3 billion accounts compromised, with 538 hacks to different websites . Now, they will have it even easier to expand their database.
The Have I Been Pwned portal made a double announcement today. The first is that they are going to collaborate with the FBI . This collaboration will have the objective that the databases of hacked passwords to which the FBI has access are made available to the website so that they can be added and that users can check if they have been involved in a hack.
The FBI will upload passwords to Pwned Passwords
In this way, the FBI would have a direct way to upload content directly to the web database so that it can be indexed and made accessible to users. The FBI will offer passwords as SHA-1 and NTLM hashes and not in plain text. It will not provide any other personal data, and those passwords will be incorporated into the Pwned Passwords database, which already has 613 million leaked passwords.
The fact that a password appears there already indicates that we do not have to use it in any service, since someone can take that database and test those 613 million passwords until one matches our account. It should also be borne in mind that the fact that a password does not appear there does not imply that it is secure, since you must always try to have complex passwords.
That same database can be downloaded directly from the website in the Passwords section, grouped in torrent files. The most up-to-date version was compiled on November 19, 2020, so more hacked passwords will have been added since then.
Pwned Passwords will be open source
The second novelty announced by Troy Hunt , its creator, is that it will make the web open-source so that others can contribute to the project and it is easier to find credentials that have been hacked .
Making the code open-source was a logical step, since it also states that the code is very simple, consisting only of an Azure storage service, an Azure Function, and a Cloudflare worker.
By making it open-source, other companies can integrate testing directly into their services. For example, Microsoft does not let users enter a password that has been in a hack, and other password managers could do the same with this new free deployment tool.
Troy Hunt also announced yesterday that the portal is already dangerously close to the figure of 1 billion checks per month , which is equivalent to 1 in 8 people in the world checking every month if their email or password is present in a hack. This shows that more and more people are concerned about their security, but there are still those who use weak passwords.
