Have I Been Pwned, the access point to check if your email or password has been exposed in case of data breach (and if so, how many times), has joined the Federal Office of 'Research the United States to strengthen its credential database in a much more timely manner. It also works open source.
The HIBP site is a gem on the Internet. It was started by Troy Hunt, a web security consultant and member of the Microsoft Regional Director program (not a Microsoft employee), who was motivated to create the service after a security breach in Adobe on 2013 which set out login credentials for 150 million accounts. . It was the biggest breach of customer accounts at the time.
HIBP has two components:one for emails i another for passwords. A record of more than 154 million unfulfilled accounts reside in Windows Azure desktop storage, which users can check separately. While this may seem risky, passwords are not stored next to any personally identifiable information (such as emails) and are encrypted using SHA-1 (Secure Hash Algorithm 1).
In a blog post, Hunt explains that the The FBI contacted him about creating a way for the agency to enter passwords directly into HIBP. Hunt says the FBI's goal is "perfectly aligned" with its own, which is to proactively warn people when their accounts have been compromised (users can sign up). optionally to receive notifications when a breach linked to their email addresses is detected), and so we are now working together to achieve this. According to Hunt, the FBI will enter compromised passwords into the service nearly 1 billion times each month.
"We are excited to partner with HIBP on this important project to protect victims of online credential theft. It is one more example of the importance of public / private partnerships in the fight against cybercrime," said Bryan A. Vorndran, Deputy Director of the FBI's Cyber Division.
Direct FBI feed to HIBP remains secure, as passwords are included in the SHA-1 and NTLM hash pair service, not plain text. But what is the result here? For users, it means a potentially faster advance if and when their accounts have been exposed in a data breach.
"They will be introduced into the system as the office makes them available, and obviously it's a cadence and a volume that will fluctuate depending on the nature of the research they're involved in," says Hunt. "The important thing is to make sure there is an ingestion path by which data can flow into HIBP and make it available to consumers as quickly as possible to maximize the value it presents."
Working together on a direct feed is the next logical step. The FBI has recently facilitated 4.3 million compromised email addresses to Hunt, which were obtained by withdrawing the Emotet botnet in January. Creating a hotline means the FBI can do this kind of thing much faster in the future.
Hunt also announced that HIBP is now open source through the .NET Foundation. He said this is the right move for the longevity of the project and it guarantees a more sustainable future rather than the service depending on it alone. It is also important for transparency purposes.
"Putting the code in public is a long way to go to address people's concerns about how the service works. For example, people have often wondered if I'm registering searches to create a new mailing list. 39; email addresses ". Hunt explained in a previous block post. "No, no, but at present this statement boils down to 'trust me.' Showing the code (the actual code) and proving that things are not registered is a very different proposition," Hunt said.
Both are welcome announcements and should ensure that HIBP remains a relevant and useful service for a long time to come.