Skip to main content

Have I Been Pwned — which tells you if passwords were breached — is going open source

Have I Been Pwned — which tells you if passwords were breached — is going open source


Troy Hunt did a good thing, and he’s trying to give it away

Share this story

An image showing a lock made up of binary code
Illustration by Alex Castro / The Verge

These days, we almost take it as a given that piss-poor security will inevitably expose some of your usernames and passwords to the world — that’s why 2FA is so important, and why you might want a password checkup tool like the ones now built into every modern browser (well, Safari is coming soon) so you can quickly replace the ones that were stolen.

But nearly all of those password checkup tools owe something to Troy Hunt’s Have I Been Pwned, which was kind of a novel idea when it first launched 7 years ago — and Hunt is now open-sourcing his website codebase so the idea can spread even further.

While not all password checkup tools actually use Hunt’s database (a just-announced LastPass feature calls on one hosted by Enzoic instead), many of them are apparently based on the same “k-Anonymity” API that Cloudflare engineering manager Junade Ali originally designed to support Have I Been Pwned’s tool.

The important idea here is that you want to be able to tell users that their password has been breached without providing an opportunity for bad actors to figure out which passwords those are and make the breach even worse; k-Anonymity uses math to make it harder for hackers.

But Hunt said last year that he doesn’t want to continue this all by himself, he wants the idea to expand, and after a failed attempt to get another company to acquire HIBP without compromising on a list of ideals, he’s now going to try to open it all up for the community to contribute.

Note, though, that it’s not quite happening yet. Hunt writes that he doesn’t have a timeline for opening it up, partly because it’s in a messy state, and partly because he wants to make sure he can keep the databases of breached passwords themselves from falling into the wrong hands. At this rate, I imagine it’ll happen before we manage to get rid of passwords altogether, but it might be a ways away.