Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
IT Technology

The FBI Will Feed Hacked Passwords Directly Into Have I Been Pwned (therecord.media) 32

Australian security researcher Troy Hunt announced today that he granted the US Federal Bureau of Investigation a direct line to upload new content into Have I Been Pwned, a website that indexes data from security breaches. From a report: The HIBP creator said that when the FBI discovers password collections during their investigations, they will upload the data into a section of the site called Pwned Passwords. The FBI will provide passwords as SHA-1 and NTLM hashes and not in plain text. No user personal details will be provided, but only the password hashes. The passwords will be added to Pwned Passwords, a collection of more than 613 million leaked passwords. While the main HIBP website allows users to search if their emails, names, or usernames have been leaked online in past security breaches, Pwned Passwords is a smaller and more specialized component of the HIBP site that tells users if a password string has ever been leaked online, without attaching the password to any user details.
This discussion has been archived. No new comments can be posted.

The FBI Will Feed Hacked Passwords Directly Into Have I Been Pwned

Comments Filter:
  • by OzPeter ( 195038 ) on Friday May 28, 2021 @09:04AM (#61431198)

    At this point in time this has got to be one of the world's most simplest websites.

    You enter any email address you like, and it simply returns "yes"

    • Its starting to feel that way.

      And its probably worse than we think. I started getting emails a while back impersonating a tiny credit provider that only does loans for a specific companies purhcases, for which I did in store and as best I can tell has never been anywhere near an online thing.

      I'm prety sure the provider is retailer down tighter than fort knox (its well known in the industry for it), so the only other place that knew I had an account with the credit provider, was the credit provider.

      Ergo the

    • I've now entered into that site almost every email address I've ever used.
      One of my old throwaway addresses was exposed in the XKCD Forums leak. That's all.

    • The funny part is that's true. Because it's not your email address you're handing over. It's your password.

      "Hey you, c'meeer. If you tell me your password, I'll tell you if someone else knows it."

      Yes, my friend, as soon as you hit enter, yes, you've been pwned.

  • Weak cipher - should be at least SHA-256.
  • public servants to do this? Why?
    • This move benefits everybody, if we assume the HIBP service and its collected data are genuine. Identity theft, phishing and social security fraud are HUGE problems. It also shows that HIBP is neither an FBI honeypot nor opportunity for hackers to gather data to improve their odds. So thank you Troy Hunt.

      The work by the public service would be something like 1 hr of junior staff time. They'll get bored and automate it, then it's just a daemon running in the cloud someone checks on once a year.

    • by ShaunC ( 203807 )

      For the same reason we pay public servants to write Security Configuration Guidance documents, post YARA rulesets for malware campaigns, etc. It's a public service. I'd call it progress: in years past, data like this was frequently only circulated to select enterprise partners. This product will be directly accessible to the public.

  • Currently, the only meaningful way to check passwords is when users select theirs. But of course you do _not_ want to sent the new ones to a website in the Internet. So far I have been using the list from Kali Linux, but that list here would be a lot better.

  • specialized component of the HIBP site that tells users if a password string has ever been leaked online, without attaching the password to any user details.

    It seems that as the list gets larger the utility declines. Soon enough, any string will match something out there. I'm not seeing the value unless the random string match is connected to my account.

  • those stolen by the FBI themselves. Given the inter-agency rivalry among the 3-letter agencies, they'll probably pass on those stolen by the CIA and NSA.
  • Does that mean, if I type my password into 'Have I Been Pwned', the FBI will get it :]

Single tasking: Just Say No.

Working...