The FBI will begin sharing compromised passwords acquired during law enforcement investigations with Have I Been Pwned’s ‘Password Pwned’ service in the near future.
Pwned Passwords is a service provided by the Have I Been Pwned data breach notification site that allows users to search for known compromised passwords.
A user can enter a password and check how many times that password has been found in a breach by utilizing this service.
For example, the password ‘password’ has been spotted 3,861,493 times in data breaches, according to the service.
Now, Troy Hunt, the creator of Have I Been Pwned, has stated that the FBI will be sending compromised passwords discovered during law enforcement investigations into the Pwned Password service in the near future.
The FBI will be able to check for passwords that have been known to be used for harmful purposes by exposing this information to administrators and users.
Admins can then update the passwords before they’re utilized in network breaches or credential stuffing attempts.
The FBI’s Assistant Director of Cyber Division, Bryan A. Vorndran, expressed his excitement to be working with Have I Been Pwned on this critical effort to protect victims of online credential theft.
He went on to say that this is just another instance of the need for public-private collaborations in the fight against cybercrime.
The passwords will be shared as SHA-1 and NTLM hash pairs, which may be searched using the service or downloaded as part of Pwned Password’s offline password list.
The compromised credentials can be downloaded as lists of SHA-1 or NTLM hashed passwords that Windows administrators can use to check if they are being used on their network.
These lists can be downloaded with hashes sorted alphabetically or by their prevalence.
Hunt has made Password Pwned open source through the.NET Foundation in order to allow this new partnership, and he’s seeking other developers to help establish a ‘Password Ingestion’ API.
This API can be used by the FBI and other law enforcement organizations to feed compromised passwords into the Password Pwned database.
You might also like: Japanese government suffers a data breach after Fujitsu hack
You might also like: Cybercriminals use fake foundations to target Uyghur Minority