FBI to Share Compromised Passwords with Have I Been Pwned

The FBI will soon begin sharing hashes of compromised passwords found in the course of its cybercrime investigations with Have I Been Pwned, the data breach notification service.

See Also: Live Webinar | The Role of Passwords in the Hybrid Workforce

The password hashes will contribute to Pwned Passwords, a service used to help warn users against reusing passwords that have been leaked in data breaches, says Troy Hunt, the Australian developer who created Have I Been Pwned

The stolen and leaked data the FBI comes across in investigations – which usually would be kept secret – can now be utilized for active defense against account takeovers. It will help prevent bad outcomes stemming from the misuse of data obtained in data breaches.

The collaborative arrangement illustrates an evolving view that in addition to arrests and shutdowns, remediation is an important component of fighting cybercrime and fraud.

Last month, the FBI shared with HIBP the 4.3 million email addresses that had been harvested by the Emotet botnet, which was shut down in a global law enforcement action. It marked the first time the FBI had asked HIBP for help in notifying victims, Hunt says (see: FBI Shares Email Addresses to Speed Emotet Cleanup).

Seventeen governments are now using HIBP to get alerts when email addresses related to their domains are ensnared in a breach, Hunt says. The latest, announced this week, is Trinidad and Tobago.

Discouraging Password Reuse

Pwned Passwords now contains 613 million hashes of compromised passwords. It is available as a web service, which is now generating 1 billion queries per month, Hunt says. It’s also available as a downloadable 12GB list that can be integrated into organizations’ own systems or other software.

For example, the 1Password password manager uses Pwned Passwords within its application to alert users to reused passwords. Another service, Safepass.me, uses the NTLM hashes within Pwned Passwords to enable organizations to scan the NTLM hashes in their own Active Directory systems to check for reuse.

The FBI will supply compromised passwords as SHA-1 and NTLM hashes, Hunt says. Pwned Passwords only stores hashes and not plain-text passwords. Hashes are created by running a plain-text password through an algorithm.

The password hashes are not linked to email addresses. Also, Pwned Passwords does not identify which breach the hash appeared in but rather just how many times the password turned up in HIBP’s database.

Hunt is calling for help in creating a way to ingest the data sent by the FBI. He announced Friday that Pwned Passwords will become an open-source project with help from the .NET Foundation.

Making Pwned Passwords open source has several advantages, Hunt writes in a blog post. It increases transparency around the project and allows organizations to take the code and run it as their own freestanding service.