Password breach service Have I Been Pwned goes open source

Elevate your enterprise data technology and strategy at Transform 2021.


Password breach database Have I Been Pwned (HIBP) has now made its entire codebase open source, making good on a promise from its creator Troy Hunt back in August.

In tandem, HIBP is also gaining access to a fresh and continuous cache of breached passwords via the FBI, which has offered to funnel exploited passwords it encounters in its digital crime-fighting travails directly into the HIBP engine.

By way of a brief recap, HIBP was first launched in 2013 by renowned security expert Troy Hunt, serving as an easy way for anyone to discover whether credentials for their online accounts have emerged in an online data dump. The service now receives some 1 billion requests a month, and numerous third-parties leverage the data inside their own apps and websites, including Mozilla’s Firefox browser and 1Password, which last year launched a new data breach report service for its enterprise clients based on HIBP data.

Above: Have I Been Pwned is now open source

People problem

Ultimately, the problem that HIBP has been setting out to solve over the past eight years is one that impacts everyone, from online shoppers to multinational corporations. Poor password hygiene is a major driver of security breaches, with 81% of all breaches reportedly down to compromised passwords. Last year, password management platform Dashlane actually launched a new tool that gives businesses data on the health of their employees’ passwords.

For this reason, there has been all manner of initiatives designed to replace passwords with alternative security mechanisms such as biometric authentication and two-step verification. But for now, passwords still rule the roost, which is why the HIBP database has proved such a utility for millions of people.

Hunt, who is also a Microsoft Regional Director, elected to open-source HIBP last year following a failed acquisition. He took the decision to push HIBP fully into community ownership because it had grown substantially on free contributions from people around the world, emerging as an indispensable source of data breach data for consumers and companies alike. But, as Hunt pointed out at the time, the entire project hinged on him and him alone. “If I disappear, HIBP quickly withers and dies,” he noted at the time.

Open sourced

And that is where the open-sourcing comes into play. “I knew it wouldn’t be easy, but I also knew it was the right thing to do for the longevity of the project,” Hunt wrote in a blog post today.

Given the complexities involved in transferring a one-man project into an open source entity, Hunt has turned to the .NET Foundation for support, a not-for-profit organization established by Microsoft back in 2014 to oversee its .NET Framework’s transition to an open source project.

“There’s a heap of effort involved in picking something up that’s run as a one-person pet project for years and moving it into the public domain,” Hunt wrote. “I had no idea how to manage an open source project, establish the licencing model, coordinate where the community invests effort, take contributions, redesign the release process and all sorts of other things I’m sure I haven’t even thought of yet.”

HIBP now has its own profile on GitHub, with repositories for an Azure Function and Cloudflare Worker, and it has been released under a permissive BSD 3-Clause License.

The first significant piece of work for HIBP as an open source project will be to develop the necessary functionality to ingest breached credentials identified by the FBI in its various investigations.

“They’ll be fed into the system as they’re made available by the bureau, and obviously that’s both a cadence and a volume which will fluctuate depending on the nature of the investigations they’re involved in,” Hunt wrote. “The important thing is to ensure there’s an ingestion route by which the data can flow into HIBP and be made available to consumers as fast as possible in order to maximize the value it presents. To do that, we’re going to need to write some code.”

VentureBeat

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact. Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:

  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more

Become a member

Source

Leave a Comment