Nearly all modern password checkup tools owe something to Troy Hunt’s Have I Been Pwned, which was something of a novel idea when it first launched 7 years ago — and Hunt  is now open-sourcing his website codebase so the idea can spread even further.

Nearly all modern password checkup tools owe something to Troy Hunt’s Have I Been Pwned, which was something of a novel idea when it first launched 7 years ago — and Hunt is now open-sourcing his website codebase so the idea can spread even further.

Troy Hunt did a good thing, and hes trying to give it away
Illustration by Alex Castro / The Verge
These days, we almost take it as a given that piss-poor security will inevitably expose some of your usernames and passwords to the world thats why 2FA is so important, and why you might want a password checkup tool like the ones now built into every modern browser (well, Safari is coming soon) so you can quickly replace the ones that were stolen.
But nearly all of those password checkup tools owe something to Troy Hunts Have I Been Pwned, which was kind of a novel idea when it first launched 7 years ago and Hunt is now open-sourcing his website codebase so the idea can spread even further.
While not all password checkup tools actually use Hunts database (a just-announced LastPass feature calls on one hosted by Enzoic instead), many of them are apparently based on the same k-Anonymity API that Cloudflare engineering manager Junade Ali originally designed to support Have I Been Pwneds tool.
The important idea here is that you want to be able to tell users that their password has been breached without providing an opportunity for bad actors to figure out which passwords those are and make the breach even worse; k-Anonymity uses math to make it harder for hackers.
But Hunt said last year that he doesnt want to continue this all by himself, he wants the idea to expand, and after a failed attempt to get another company to acquire HIBP without compromising on a list of ideals, hes now going to try to open it all up for the community to contribute.
Note, though, that its not quite happening yet. Hunt writes that he doesnt have a timeline for opening it up, partly because its in a messy state, and partly because he wants to make sure he can keep the databases of breached passwords themselves from falling into the wrong hands. At this rate, I imagine itll happen before we manage to get rid of passwords altogether, but it might be a ways away.

Share