With major hacks and data breaches happening almost daily, protecting your online accounts and passwords is as important as ever. You should use strong, unique passwords for each online account you operate and use on a password management app to keep track of them all. You should occasionally change passwords, especially those you share with others — like Netflix — and make sure you don’t recycle any. It’s also important to use services like HaveIBeenPwned.com (HIBP) and Google Chrome’s password manager to see if your accounts were hacked any time a company announces a new data breach, and then change that password to something more secure.
HIBP’s creator Troy Hunt has just announced two major updates for the service, including a partnership that should help secure your online accounts. HIBP has partnered with the FBI, which means the bureau will feed data from breaches into the service, increasing the amount of data available for anyone to check online.
Among other things, HIBP made it possible to Facebook users to see whether their accounts were included in the data-scraping breach that collected personal information from more than 533 million accounts a few years ago. That data became widely available a few months ago, after circulating privately in previous years.
HIBP keeps track of all these hacks in a timely manner, allowing users to see whether the latest hack compromised any of their accounts.
Hunt announced in a blog post a few days ago two major initiatives for HIBP. First of all, HIBP is going open source with the help of the .NET Foundation. This is a significant upgrade for the service, which will allow more people to run similar services in the future, with or without his explicit help:
So, I can proverbially ‘lift and shift’ Pwned Passwords into open source land in a pretty straightforward fashion which makes it the obvious place to start. It’s also great timing because as I said earlier, it’s now an important part of many online services and this move ensures that anybody can run their own Pwned Passwords instance if they so choose. My hope is that this encourages greater adoption of the service both due to the transparency that opening the code base brings with it and the confidence that people can always ‘roll their own’ if they choose. Maybe they don’t want the hosted API dependency, maybe they just want a fallback position should I ever meet an early demise in an unfortunate jet ski accident. This gives people choices.
The second update concerns the FBI’s involvement. The agency is often involved in investigating the latest hacks and data breaches, and its cyber unit keeps track of compromised accounts. Hunt explained that he and the FBI have been discussing about a partnership:
[The] FBI reached out and we began a discussion about what it might look like to provide them with an avenue to feed compromised passwords into HIBP and surface them via the Pwned Passwords feature. Their goal here is perfectly aligned with mine and, I dare say, with the goals of most people reading this: to protect people from account takeovers by proactively warning them when their password has been compromised. Feeding these passwords into HIBP gives the FBI the opportunity to do this almost 1 billion times every month. It’s good leverage 🙂 [sic]
The passwords coming from the FBI will not be available in plain text, which is already how the service works. They’ll be available to users in the future, depending on how and when the FBI updates the data flow to HIBP.