FBI to share compromised passwords with Have I Been Pwned


The FBI will share hashes of stolen passwords it encounters during investigations with Have I Been Pwned, according to security researcher Troy Hunt , the man behind the data breach search engine. The hashes are made available through the search engine 's " Pwned Passwords " dataset and are different from the normal search feature where users can check if accounts have been compromised by entering their email address. Pwned Passwords is a collection of password hashes that have been stolen from websites.


Hashes are used to store passwords encrypted in a database. When the user registers and provides a password, a hashing algorithm creates a hash of it. The hash is stored in the database. This prevents, for example, if a website is compromised and the database stolen, the attacker will immediately have access to users' passwords. They have been hashed. Another characteristic of hashes is that a hashing algorithm will always generate the same hash for a given password. Different users choosing the same password will also have the same password hash.


Pwned Passwords has over 613 million password hashes. The dataset can be downloaded as well as searched online and shows, among other things, how often a password occurs in data leaks. In addition, administrators can use the password hashes to see if they match the password hashes in their Active Directory environment. Subsequently, measures can be taken, for example, to allow users to choose a different password. The FBI will provide both SHA-1 and NTLM hashes of the passwords to Have I Been Pwned. Hunt says he doesn't need the passwords in plaintext.

Previous Post Next Post