Online security is a significant issue these days, and as people rely more on internet services, their libraries of accounts and login credentials also grow.
Unfortunately, it’s practically guaranteed that somewhere along the line, attackers will breach a service you use and expose your passwords, login details and more. There are plenty of tools to help mitigate the threat — password managers, biometric authentication and two-factor authentication (2FA) can all help.
Another popular tool is a website called ‘Have I Been Pwned‘ (HIBP). Made by Troy Hunt, HIBP lets users punch in an email address and see a list of breached accounts attached to that email, as well as details about what data the breach exposed. HIBP launched seven years ago, and now Hunt is taking it open source.
In a blog post, Hunt lays out many of the reasons he plans to take HIBP open source. At the heart of it is that HIBP has always been a community project. But also, many companies use HIBP or something similar to warn people about breaches. Open-sourcing HIBP can help spread it to more places.
Hunt wants to put HIBP in the hands of those who can sustain it
For example, LastPass recently launched a dark web monitoring feature. The Verge reports that LastPass doesn’t use the HIBP database — it checks one hosted by Enzoic instead. However, many services rely on the same ‘k-Anonymity’ API designed by Cloudflare engineering manager Junade Ali to support HIBP.
Now @LastPass has added breached password notifications using the k-Anonymity API design by me and @troyhunt – joining @1Password, Okta PassProtect, Apple, Google, etc. https://t.co/fyOKbZWNNF
— Junade Ali (@IcyApril) August 5, 2020
Since HIBP wants to tell users their password was breached without providing an opportunity for attackers to figure out which passwords those are and make the breach worse, k-Anonymity uses math to make it difficult for attackers to do that. Those curious can read up on all the details here.
Hunt points out that Ali’s k-Anonymity API is one example of the many community contributions that made HIBP what it is. HIBP relies on contributors like Ali who freely give time, code and more.
Plus, Hunt says that open-sourcing HIBP puts the project in the hands of people who can “help sustain the service” no matter what happens to him.
Finally, Hunt notes in the blog post that his decision comes after a failed attempt to get another company to acquire HIBP without compromising on a list of ideals.
Open-sourcing HIBP isn’t happening just yet, however. Hunt doesn’t have a timeline for going open source. Part of the reason is that HIBP’s code is in a messy state, and another part is that Hunt wants to make sure he can keep the databases of breached passwords from falling into the wrong hands.