Jump to content
Login new information ×
Login new information
Donations campaign phase one 2024

Have I Been Pwned — which tells you if passwords were breached — is going open source

Karlston

By Karlston
in Security & Privacy News

Recommended Posts

Karlston

Karlston

Posted
Posted

Have I Been Pwned — which tells you if passwords were breached — is going open source

Troy Hunt did a good thing, and he’s trying to give it away 

acastro_170629_1777_0008.0.jpg

Illustration by Alex Castro / The Verge

These days, we almost take it as a given that piss-poor security will inevitably expose some of your usernames and passwords to the world — that’s why 2FA is so important, and why you might want a password checkup tool like the ones now built into every modern browser (well, Safari is coming soon) so you can quickly replace the ones that were stolen.

 

But nearly all of those password checkup tools owe something to Troy Hunt’s Have I Been Pwned, which was kind of a novel idea when it first launched 7 years ago — and Hunt is now open-sourcing his website codebase so the idea can spread even further.

 

While not all password checkup tools actually use Hunt’s database (a just-announced LastPass feature calls on one hosted by Enzoic instead), many of them are apparently based on the same “k-Anonymity” API that Cloudflare engineering manager Junade Ali originally designed to support Have I Been Pwned’s tool.

 

 

The important idea here is that you want to be able to tell users that their password has been breached without providing an opportunity for bad actors to figure out which passwords those are and make the breach even worse; k-Anonymity uses math to make it harder for hackers.

 

But Hunt said last year that he doesn’t want to continue this all by himself, he wants the idea to expand, and after a failed attempt to get another company to acquire HIBP without compromising on a list of ideals, he’s now going to try to open it all up for the community to contribute.

 

Note, though, that it’s not quite happening yet. Hunt writes that he doesn’t have a timeline for opening it up, partly because it’s in a messy state, and partly because he wants to make sure he can keep the databases of breached passwords themselves from falling into the wrong hands. At this rate, I imagine it’ll happen before we manage to get rid of passwords altogether, but it might be a ways away.

 

 

Have I Been Pwned — which tells you if passwords were breached — is going open source

 

ThanksForReading200x49.jpg

Link to comment
Share on other sites
  • Replies 1
  • Views 845
  • Created
  • Last Reply
funkyy

funkyy

Posted
Posted

One of the most useful/effective tools in the defense against hackers.

Long may it continue and evolve.:duh::duh::duh:

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...