'Have I been Pwned' is Now Open Source to Check Passwords

Have I been Pwned is a popular website to check if your email has been a part of a data breach.

A few years back, probably only the ones interested in their digital safety knew about it. But now — almost every service like Firefox Monitor utilizes the database of Have I been Pwned to check for security breaches and notify users.

While the creator (Troy Hunt) already decided to make the entire project open source last year, it is still something that will take time.

However, thanks to .NET foundation, he managed to finally open-source “Pwned Passwords“.

You can find two repositories in GitHub for now which is only for the password portal. The codebase for monitoring emails and phone numbers in data breaches will follow in the near future.

In other words, yes, you can host your instance to check for password breaches integrating it to your business or any other services that you can think of.

Check New Compromised Passwords With the Help of FBI

Not just limited to the open-source codebase available at GitHub for Pwned Passwords, FBI has also come up to help inject newly discovered passwords to the password search portal.

Fret not, FBI has nothing to do with how it works, but they will be providing more data. So, it will make the online portal more effective for users looking to see if their passphrase is a part of a data breach.

Troy mentioned more about it in his blog post:

Their goal here is perfectly aligned with mine and, I dare say, with the goals of most people reading this: to protect people from account takeovers by proactively warning them when their password has been compromised. Feeding these passwords into HIBP gives the FBI the opportunity to do this almost 1 billion times every month. It’s good leverage 🙂

And, you get to self-host it if you want! Sounds exciting, right?

Help Needed From the Open Source Community

Considering it as the first step of the project to be available for the community, Troy does have some ideas on the implementation of how a law enforcement agency can safely contribute password information to ‘Pwned Passwords‘.

The ability to let others contribute to the database will also open doors to other law enforcement agencies to join hands.

So, if you are interested in that, you can go through all the details shared in his blog post and contribute to the available repositories as per your expertise.

I think this is definitely an exciting addition to the open-source community which should play a key role in helping users to monitor their passwords, email addresses, and phone numbers whenever there is a data breach.

What do you think? Let me know your thoughts in the comments.