FBI is plugging in its intel on compromised passwords and poorly secured accounts with ‘Have I Been Pwned’

FBI Have I Been Pwned
FBI to offer database on compromised passwords. Pic credit: Dave Newman/CreativeCommons/CC BY 2.0

The Federal Bureau of Investigation (FBI) will share information about compromised logins, passwords, and authentication credentials. The information, which is part of the law enforcement investigations, will now help the ‘Have I Been Pwned’ website.

Compromised passwords which the FBI discovered during its investigations will now be part of the ‘Have I Been Pwned’ website database. Visitors to the website will now be able to discover just how poor is their choice of passwords.

FBI will share compromised passwords with Pwned Password service:

The Have I Been Pwned data breach notification website includes a service called Pwned Passwords. This service allows users to search for known compromised passwords.

A visitor can input any password, and see how many times that password featured in a data breach. Needless to mention, despite repeated reminders, people still use ‘password’, ‘1234’, etc. to secure their accounts online.

According to the website, the word ‘password’ has appeared 3,861,493 times in data breaches. While this may be an extreme case, internet users suffer from compromised information through data breaches.

Have I Been Pwned website creator Troy Hunt announced that the FBI would soon feed its own database on compromised passwords to the website. Needless to mention, FBI routinely investigates data breaches and discovers hoards of compromised accounts and credentials.

The Pwned Password service will now help administrators and users to check for passwords that cybercriminals used for malicious purposes. Such a database is immensely valuable to everyone because it could prevent credential stuffing attacks and network breaches in the future.

FBI will share compromised password database as SHA-1 and NTLM hash pairs:

The FBI will not be sharing compromised passwords in plaintext format. Instead, the agency will send across encoded information. The Pwned Password service will merely match the information a visitor provides, with the database.

Incidentally, Password Pwned allows users to download the compromised passwords as lists of SHA-1 or NTLM hashed passwords. Using this facility, Windows administrators can quickly run a scan to check if any of the compromised passwords are on their network.

To ensure Have I Been Pwned website receives the invaluable database from the FBI, Hunt has made Password Pwned open source via the .NET Foundation. He is now urging other developers to help create a ‘Password Ingestion’ API.

If the website succeeds in creating the API, it could allow more investigation agencies such as the FBI, to easily plug in their own database. This would surely help privacy-conscious users to ensure better password hygiene. Meanwhile, Google is trying hard to retire passwords entirely.

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x