Have I Been Pwned (HIBP), the free website used by millions to check whether their credentials have been compromised, has open sourced its code base, founder Troy Hunt announced today.
Hunt first mentioned plans to open source the HIBP code base last summer. Now, as requests for the website's Pwned Passwords approach 1 billion per month, he has confirmed it is officially open source via the .NET Foundation, an independent 501(c) nonprofit organization.
There are a few reasons Pwned Passwords works well for the open source model, which is why he decided to start there, Hunt explained in a blog post.
For starters, Pwned Passwords has a simple code base consisting of Azure Storage, a single Azure Function, and a Cloudflare worker. It also has its own domain, Cloudflare account, and Azure services, so it can be picked up and open sourced independently of the rest of HIBP.
Further, he added, it's noncommercial with no API costs or enterprises services, like other parts of HIBP. And finally, the data driving Pwned Passwords is already freely available in the public domain through the downloadable hash sets.
"So, I can proverbially 'lift and shift' Pwned Passwords into open source land in a pretty straightforward fashion which makes it the obvious place to start," Hunt wrote. It's also good timing, he added, because it's now part of many online services, and this ensures anybody can run their own Pwned Passwords instance if they want to. He hopes this will encourage adoption of the service.
Hunt also announced today that HIBP will receive compromised passwords discovered as part of FBI investigations. The website will provide officials with a way to feed the passwords into HIBP and surface them via the Pwned Passwords tool, he explained. These passwords will be provided in SHA-1 and NTLM hash pairs, which aligns with Pwned Passwords' current storage constructs, he added, noting he doesn't need them in plaintext.
Read Hunt's full blog post for more information.