Security News > 2021 > May > FBI to share compromised passwords with Have I Been Pwned
The FBI will soon begin to share compromised passwords with Have I Been Pwned's 'Password Pwned' service that were discovered during law enforcement investigations.
The Have I Been Pwned data breach notification site includes a service called Pwned Passwords that allows users to search for known compromised passwords.
Today, Have I Been Pwned creator Troy Hunt announced that the FBI would soon be feeding compromised passwords found during law enforcement investigations into the Pwned Password service.
"We are excited to be partnering with HIBP on this important project to protect victims of online credential theft. It is another example of how important public/private partnerships are in the fight against cybercrime," - Bryan A. Vorndran, Assistant Director, Cyber Division, FBI. The FBI will share the passwords as SHA-1 and NTLM hash pairs that can then be searched using the service or downloaded as part of Pwned Password's offline list of passwords.
Password Pwned allows users to download the compromised passwords as lists of SHA-1 or NTLM hashed passwords that can be used offline by Windows administrators to check if they are being used on their network.
NET Foundation and is asking other developers to help create a 'Password Ingestion' API. The FBI and other law enforcement agencies can use this API to feed compromised passwords into the Password Pwned database.