Password breach service Have I Been Pwned goes open source

Password breach database Have I Been Pwned (HIBP) has now made its entire codebase open source, as creator Troy Hunt promised back in August.

HIBP is also gaining access to a fresh and continuous cache of breached passwords via the FBI, which has offered to funnel exploited passwords it encounters in its digital crime-fighting efforts directly into the HIBP engine.

HIBP was first launched in 2013 by Hunt, a renowned security expert, and serves as an easy way for anyone to discover whether credentials for their online accounts have emerged in an online data dump. The service now receives some 1 billion requests a month, and numerous third parties leverage the data inside their own apps and websites, including Mozilla’s Firefox browser and 1Password, which last year launched a new data breach report service for its enterprise clients based on HIBP data.

Above: Have I Been Pwned is now open source

People problem

The problem HIBP has been working to solve over the past eight years is one that impacts everyone from online shoppers to multinational corporations. Poor password hygiene is a major driver of security breaches, with 81% of all breaches reportedly caused by compromised passwords. Last year, password management platform Dashlane actually launched a new tool that gives businesses data on the health of their employees’ passwords.

All manner of initiatives have emerged to replace passwords with alternative security mechanisms, such as biometric authentication and two-step verification. But passwords still rule the roost, which is why the HIBP database has proved such a utility for millions of people.

Hunt, who is also a Microsoft Regional Director, elected to open-source HIBP last year following a failed acquisition. He made the decision to push HIBP fully into community ownership because it had grown substantially, thanks to free contributions from people around the world, and become an indispensable source of data breach data for consumers and companies alike. But, as Hunt pointed out at the time, the entire project still hinged on him alone. “If I disappear, HIBP quickly withers and dies,” he said.

Open sourced

This is where the open-sourcing comes into play. “I knew it wouldn’t be easy, but I also knew it was the right thing to do for the longevity of the project,” Hunt wrote in a blog post today.

Given the complexities involved in transforming a one-person project into an open source entity, Hunt has turned to the .NET Foundation, a not-for-profit organization Microsoft established in 2014 to oversee its .NET Framework’s transition to open source.

“There’s a heap of effort involved in picking something up that’s run as a one-person pet project for years and moving it into the public domain,” Hunt wrote. “I had no idea how to manage an open source project, establish the licencing model, coordinate where the community invests effort, take contributions, redesign the release process, and all sorts of other things I’m sure I haven’t even thought of yet.”

HIBP now has its own profile on GitHub, with repositories for an Azure Function and Cloudflare Worker, and it has been released under a permissive BSD 3-Clause License.

The first significant piece of work for HIBP as an open source project will be to develop the functionality needed to ingest credentials the FBI identifies as breached.

“They’ll be fed into the system as they’re made available by the bureau, and obviously that’s both a cadence and a volume which will fluctuate depending on the nature of the investigations they’re involved in,” Hunt wrote. “The important thing is to ensure there’s an ingestion route by which the data can flow into HIBP and be made available to consumers as fast as possible in order to maximize the value it presents. To do that, we’re going to need to write some code.”