Have I Been Pwned — which tells you if passwords were breached — is going open source
These days, we almost take it as a given that piss-poor security will inevitably expose some of your usernames and passwords to the world — that’s why 2FA is so important, and why you might want a password checkup tool like the ones now built into every modern browser (well, Safari is coming soon) so you can quickly replace the ones that were stolen.
But nearly all of those password checkup tools owe something to Troy Hunt’s Have I Been Pwned, which was kind of a novel idea when it first launched 7 years ago — and Hunt is now open-sourcing his website codebase so the idea can spread even further.
While not all password checkup tools actually use Hunt’s database (a just-announced LastPass feature calls on one hosted by Enzoic instead), many of them are apparently based on the same “k-Anonymity” API that Cloudflare engineering manager Junade Ali originally designed to support Have I Been Pwned’s tool.
The important idea here is that you want to be able to tell users that their password has been breached without providing an opportunity for bad actors to figure out which passwords those are and make the breach even worse; k-Anonymity uses math to make it harder for hackers.
But Hunt said last year that he doesn’t want to continue this all by himself, he wants the idea to expand, and after a failed attempt to get another company to acquire HIBP without compromising on a list of ideals, he’s now going to try to open it all up for the community to contribute.
Note, though, that it’s not quite happening yet. Hunt writes that he doesn’t have a timeline for opening it up, partly because it’s in a messy state, and partly because he wants to make sure he can keep the databases of breached passwords themselves from falling into the wrong hands. At this rate, I imagine it’ll happen before we manage to get rid of passwords altogether, but it might be a ways away.
These days, we almost take it as a given that piss-poor security will inevitably expose some of your usernames and passwords to the world — that’s why 2FA is so important, and why you might want a password checkup tool like the ones now built into every modern browser (well,…
Recent Posts
- Google Search is getting a massive upgrade – including letting you search with video
- Google Project Astra hands-on: Full of potential, but it’s going to be a while
- OpenAI chief scientist Ilya Sutskever is officially leaving
- NYT Strands today — hints, answers and spangram for Wednesday, May 15 (game #73)
- Android apps will soon let you use your face to control your cursor
Archives
- May 2024
- April 2024
- March 2024
- February 2024
- January 2024
- December 2023
- November 2023
- October 2023
- September 2023
- August 2023
- July 2023
- June 2023
- May 2023
- April 2023
- March 2023
- February 2023
- January 2023
- December 2022
- November 2022
- October 2022
- September 2022
- August 2022
- July 2022
- June 2022
- May 2022
- April 2022
- March 2022
- February 2022
- January 2022
- December 2021
- November 2021
- October 2021
- September 2021
- August 2021
- July 2021
- June 2021
- May 2021
- April 2021
- March 2021
- February 2021
- January 2021
- December 2020
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- February 2020
- January 2020
- December 2019
- November 2019
- December 2011