There have been plenty of data breach cases where a large amount of personal information including passwords, usernames, and email addresses have been compromised. The stolen data is often leaked online, resulting in an enormous stash of stolen credentials. But, a website that goes by Have I Been Pwned (HIBP) is coming to the rescue by making that data publicly available, so that the companies that require any sort of sign-in information from users can match the entered passwords with those in the collection, and thereupon warn users if they have been compromised before.
Troy Hunt, the mastermind behind HIBP, has revealed over 320 million passwords in his blog to help the companies secure their online network. These passwords have been aggregated from several data breaches that happened overtime, and are now available to everyone on HIBP website. However, Hunt says that the ‘pwned-passwords’ that are publicly available on his website do not disclose the email addresses and usernames that they were associated with. The website Have I Been Pwned, or HIBP, generally lets users see if their email addresses have been breached without revealing the passwords, but Hunt has created the inverse of the concept this time, in an effort to intimate Internet users and companies about passwords that can be easily hacked.
The sole motive behind HIBP’s new password service is to supply different companies about the compromised passwords, so that when any user tries to enter anything that matches they will be warned by the company to use a more secure password instead. Alternatively, since the HIBP website is open for all, any user can voluntarily go to the website and check if the password they’ve been thinking to use has not been already breached. Nevertheless, Hunt advises such users to be cautious before checking any passwords that they currently use. “The point of the web-based service is so that people who have been guilty of using sloppy passwords have a means of independent verification that it’s not one they should no longer be using,” he notes in his blog.
While this service can be more securely accessed over an Internet connection, Hunt has also made the entire collection of passwords that is almost 5.3GB in size available for offline download through a ZIP file.
Since its inception, this concept of this service has been asserted positively by institutions like National Institute of Standards and Technology (NIST) and the UK’s National Cyber Security Centre, which agree with Hunt’s ideology that compromised passwords should not be brought into use again by any user.