The Federal Bureau of Investigation, FBI, will now help you keep tabs on your online passwords – to make sure they haven’t fallen into the wrong hands. The US domestic agency is tipped to begin sharing compromised passwords with popular service Have I Been Pwned.
For those who don’t know, Have I Been Pwned is a free service that lets users check whether their online accounts have been compromised. Putting in an email address, personal phone number or password will check records of compromised data freely available on the Dark Web, hacker forums, and other sources. If the service flags when any of your details have leaked, it’s a good indication that hackers are already in possession of your details.
Worse still, if you use the same email address and password combination for more than one online account, you could be leaving a multitude of logins open to hackers. Social media, email inboxes, online banking, and more could all be exposed.
A number of popular password managers, including the excellent 1Password, leverage Have I Been Pwned’s unmatched database to alert users when one of their passwords or login credentials has been made available to hackers. With the FBI now contributing its breadth of knowledge about leaked passwords to keep users safe, it could be about to become even more useful. Have I Been Pwned creator Troy Hunt announced that compromised passwords found during FBI investigations will be added to the database.
Assistant Director of the FBI Cyber Division, Bryan A. Vorndran confirmed the move, stating: “We are excited to be partnering with HIBP on this important project to protect victims of online credential theft. It is another example of how important public/private partnerships are in the fight against cybercrime.”
Troy Hunt’s service also enables users to download a complete list of all compromised passwords as lists of SHA-1 or NTLM hashed passwords. These can be used offline, enabling Windows 10 administrators to check whether any of these passwords are being used on their network. That way, employees can be alerted when they’re using a password for their company login that is already compromised and available to hackers – without asking them to constantly check the Have I Been Pwned website.
Whether other law enforcement agencies, including those in the UK, will use the API to feed compromised passwords into the database remains to be seen.