The Federal Bureau of Investigation (FBI) will share information about compromised logins, passwords, and authentication credentials. The information, which is part of the law enforcement investigations, will now help the ‘Have I Been Pwned’ website.
Compromised passwords which the FBI discovered during its investigations will now be part of the ‘Have I Been Pwned’ website database. Visitors to the website will now be able to discover just how poor is their choice of passwords.
FBI will share compromised passwords with Pwned Password service:
The Have I Been Pwned data breach notification website includes a service called Pwned Passwords. This service allows users to search for known compromised passwords.
A visitor can input any password, and see how many times that password featured in a data breach. Needless to mention, despite repeated reminders, people still use ‘password’, ‘1234’, etc. to secure their accounts online.
— Mark (@_therealmark_) May 28, 2021
According to the website, the word ‘password’ has appeared 3,861,493 times in data breaches. While this may be an extreme case, internet users suffer from compromised information through data breaches.
FBI to share compromised passwords with Have I Been Pwned https://t.co/q81IkaHV58#Malware #cybersecurity #hacker #infosec #cyberattack #ethicalhacking #ransomware #cybercrime #hackers #security #pentesting #linux #phishing #technology #IoT pic.twitter.com/HigGCDlK1j
— Hackers Review (@HackersReview_) May 28, 2021
Have I Been Pwned website creator Troy Hunt announced that the FBI would soon feed its own database on compromised passwords to the website. Needless to mention, FBI routinely investigates data breaches and discovers hoards of compromised accounts and credentials.
The Pwned Password service will now help administrators and users to check for passwords that cybercriminals used for malicious purposes. Such a database is immensely valuable to everyone because it could prevent credential stuffing attacks and network breaches in the future.
FBI will share compromised password database as SHA-1 and NTLM hash pairs:
The FBI will not be sharing compromised passwords in plaintext format. Instead, the agency will send across encoded information. The Pwned Password service will merely match the information a visitor provides, with the database.
Incidentally, Password Pwned allows users to download the compromised passwords as lists of SHA-1 or NTLM hashed passwords. Using this facility, Windows administrators can quickly run a scan to check if any of the compromised passwords are on their network.
Australian security researcher Troy Hunt announced today that he granted the US Federal Bureau of Investigation a direct line to upload new content into Have I Been Pwned, a website that indexes data from security breaches.https://t.co/Y0naomjKpq
— Shahriyar Gourgi (@ShahriyarGourgi) May 28, 2021
To ensure Have I Been Pwned website receives the invaluable database from the FBI, Hunt has made Password Pwned open source via the .NET Foundation. He is now urging other developers to help create a ‘Password Ingestion’ API.
If the website succeeds in creating the API, it could allow more investigation agencies such as the FBI, to easily plug in their own database. This would surely help privacy-conscious users to ensure better password hygiene. Meanwhile, Google is trying hard to retire passwords entirely.