Access Management , Governance & Risk Management , Identity & Access Management

FBI to Share Compromised Passwords With Have I Been Pwned

Will Help Prevent Users From Reusing Risky Passwords
FBI to Share Compromised Passwords With Have I Been Pwned

The FBI will soon begin sharing hashes of compromised passwords found in the course of its cybercrime investigations with Have I Been Pwned, the data breach notification service.

See Also: OnDemand Panel Discussion | Practical Viewpoints: Global IT Security Compliance in 2022

The password hashes will contribute to Pwned Passwords, a service used to help warn users against reusing passwords that have been leaked in data breaches, says Troy Hunt, the Australian developer who created Have I Been Pwned

Troy Hunt

The stolen and leaked data the FBI comes across in investigations - which usually would be kept secret - can now be utilized for active defense against account takeovers. It will help prevent bad outcomes stemming from the misuse of data obtained in data breaches.

"The folks I've spoken to there [the FBI] have been absolutely fantastic," Hunt says. "They are really dedicated passionate people wanting to make a positive difference."

It's a sign that HIPB is increasingly being viewed as a critical outreach partner. It also shows an evolving view that in addition to arrests and shutdowns, remediation is an important component of fighting cybercrime and fraud.

Last month, the FBI shared 4.3 million email addresses that had been harvested by the Emotet botnet, which was shut down in a global law enforcement action. It marked the first time the FBI had reached out to HIBP with help in notifying victims (see FBI Shares Email Addresses to Speed Emotet Cleanup).

HIBP has also seen wider take up by governments. Seventeen governments are now using HIBP service to get alerts when email addresses related to their domains are ensnared in a breach. The latest, announced this week, is Trinidad and Tobago.

Discouraging Password Reuse

Pwned Passwords now contains 613 million hashes of compromised passwords. It is available as a web service, which is now generating 1 billion queries per month, Hunt says. It's also available as a downloadable 12GB list that can be integrated into organizations' own systems or other software.

For example, the 1Password password manager uses Pwned Passwords within its application to alert users to reused passwords. Another service,, uses the NTLM hashes within Pwned Passwords to enable organizations to scan the NTLM hashes in their own Active Directory systems to check for reuse.

The FBI will supply compromised passwords as SHA-1 and NTLM hashes, Hunt says. Pwned Passwords only stores hashes and not plain-text passwords. Hashes are created by running a plain-text password through an algorithm.

The password hashes are not linked to email addresses. Also, Pwned Passwords does not identify which breach the hash appeared in but rather just how many times the password turned up in HIBP's database.

Hunt is calling for help in creating a way to ingest the data sent by the FBI. He announced Friday that Pwned Passwords will become an open-source project with help from the .NET Foundation.

Making Pwned Passwords open source has several advantages, Hunt writes in a blog post. It increases transparency around the project and allows organizations to take the code and run it as their own freestanding service.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.