Troy Hunt, creator of the website Have I Been Pwned (HIBP), announced that the FBI will soon share compromised passwords with HIBP’s “Pwned Passwords” service. The passwords the FBI will be sharing are those obtained through law enforcement investigations. The HIBP data breach notification site includes a service that allows for users to search for known compromised passwords. The goal is to further protect people from account takeovers by proactively warning them when a password has been compromised. According to Hunt, the passwords will be provided to HIBP in SHA-1 and NTLM hash pairs which is well aligned with the current storage constructs in Pwned Passwords.
Analyst Notes
HIBP provides a free service to the public to check if emails or passwords have been compromised. Reusing passwords is common practice with many users but it is extremely risky. Threat actors will use lists of stolen credentials to attempt to breach other accounts in a practice called credential stuffing. Users can protect themselves from Credential Stuffing attacks using Multi-Factor Authentication (MFA) and unique passwords on every site. Even if passwords are reused on other sites, MFA can help prevent account takeover on those sites that allow it, but a password manager that creates strong and random passwords paired with MFA where possible can be an easy to use and highly effective combination for protecting access. While these preventative measures stop won’t breaches, they will make it much harder for an individual to fall victim to a credential stuffing attack.
Sources: https://www.bleepingcomputer.com/news/security/fbi-to-share-compromised-passwords-with-have-i-been-pwned/
https://www.troyhunt.com/pwned-passwords-open-source-in-the-dot-net-foundation-and-working-with-the-fbi/
