Have I Been Pwned, the site that tells you if passwords were breached, is going open source
The website codebase has been open sourced so as the idea behind Have I Been Pwned can spread further.
Security on websites and apps are so poor these days that we have come to expect that some of our usernames and passwords will be exposed to the world, somehow. That's exactly why two-factor authentication (2FA) is so vital these days as are password check-up tools built into browsers so as users are warned and can quickly replaced what has been compromised.
Nearly all of these password check-up tools have something or the other to do with Troy Hunt's Have I Been Pwned.
Have I Been Pwned is a website that tells you if any of your passwords have been compromised and it was a novel idea when it was launched seven years ago. Now, Hunt is open-sourcing his website codebase so the idea can proliferate further.
Not all password check-up tools use Hunt's database though. Many of them are based on the “k-Anonimity” API that Junade Ali, Cloudfare's engineering manager, originally designed to support the I Have Been Pwned tool.
The main idea here is to be able to tell users that their passwords have been compromised without providing bad actors a chance to figure out which passwords those are and thereby making the breach worse. k-Anonymity actually uses math to make it harder for hackers.
Hunt said last year that he does not want to continue this all by himself and also wants the idea to expand. He tried to get another company to acquire Have I Been Pwned but that attempt failed and now he is going to try and open it up for the community to contribute.
However, Have I Been Pwned's source code is not going open source right now. There is no timeline in place yet since, as Hunt writes, he wants to make sure he can keep the databases of breached passwords from falling into the wrong hands first before anything else.