"Have I Been Pwned" Is Going Open Source

If you’ve never heard of “Have I Been Pwned,” you’re playing a risky game being on the internet right now. The website, which launched in 2013, exists to serve one simple purpose. Without scraping data or storing information, it allows web users to determine if their passwords have ever been compromised. All you need to do is type in any of the (hopefully many different) passwords you use on a regular basis, and it checks the password against a least that’s been compiled from leaked or stolen data. If there’s a match, it suggests you change your password. If you’ve never checked, that should be the first thing you do right now. Go ahead. We’ll wait.

Now that you’re back (and possibly worried by what you’ve discovered), you might be wondering how and why your passwords have been compromised. You are, after all, just a regular internet user like millions of others. What makes your data valuable, or worth stealing? The simple and somewhat disappointing answer to that question is ‘nothing.’ Stealing passwords is like playing online slots for the people who do it. They achieve success through repetition and repeating the same action over and over, the same way that someone playing online slots at a website does. Eventually, one of the accounts they compromise will be worth something, and that’s when they make their money. If you are an online slots player, by the way, your passwords for your online slots account are among the first you should check. Someone else might be playing with your money.

In the seven years since the website launched - the sole work of a man named Troy Hunt - it's become an invaluable service used by thousands of people every single day. It's collected more than ten billion passwords stolen or leaked across the internet and has evolved over time to work as a plugin for web browsers and other services, pro-actively letting users know that the password they're using has been compromised every time they type it in anywhere. It's now a monolith, and one that's becoming increasingly difficult to sustain and manage for Hunt, who remains the only ‘employee’ of the website, and the only person responsible for operating the service. In 2019 he decided enough was enough, and he could no longer cope with the demands that the website was placing on him. He placed his creation up for sale and agreed to a deal with an unnamed investor. The sale fell through at the last minute, and rather than starting again from scratch, Hunt has now decided that it's time to go another way with his website.

He no longer wishes to relinquish control of his creation - a decision that's probably been made easier to make because of the increasingly large revenues the website generates - but he does concede that he's going to need some help from elsewhere to keep it going. As it stands, if Hunt were to die suddenly, the website would eventually break down without anyone maintaining or repairing it. He can't allow that to happen, and so he's taken the surprising step of opening the source code up and allowing other people to have access to it. He hopes that in doing so, he'll give the website and the service a long term sustainable future. He also hopes that new users might come up with ideas about where "Have I Been Pwned" could go that he hasn't thought of and perhaps even help him fix some minor bugs that he's never been able to resolve.

While the decision to open up the source code of the website has already been made and is final, Hunt is in no rush to go about the process. Rather than opening everything up at once, he plans to release things one stage at a time, gradually working his way toward a point of total openness. Security will be at the forefront of his mind at all stages of the process, as there are obvious pitfalls in opening up data and information that includes email addresses and passwords for millions of people and accounts - many of which may still be compromised without the owner's knowledge. Although he hasn't said so directly, it seems likely that access to some of the core information will be strictly limited even if the source code becomes publicly available. It might be the case that Hunt has to personally vet the identity and background if anyone who, for whatever reason, requires access to that core information in order to go about the work that they want to carry out.

In all of his years collecting and curating data for the website, Hunt has identified several worrying trends in relation to internet users and their data. Chief among them is that despite repeated warnings, many individuals still use the same password for multiple different accounts, and so when one of those accounts is compromised, all of the others follow suit. Even more amazingly, there are over three and a half million instances of the word "Password" being used as a password within the database. "123456" is almost eight times more prevalent, turning up twenty-three and a half million times in Hunt's records. People's dates of birth, surnames, or address details frequently turn up as passwords as well. It appears that for all we've learned and been told about how to operate safely and securely on the internet in the past, there's a significant number of people who either aren't listening or are unwilling to change their ways.

If you'd be interested in getting involved in the future of the open-sourced "Have I Been Pwned" website, you'll find further detail on the website itself, including a full written statement from Troy Hunt. There are also forums available at the site in which you can discuss collaborative projects, or stay up to date with the progress of the open-source project as it happens. If you don't want to get involved with all of that, it's still worth your time to visit the website anyway and confirm that your passwords aren't available in the public domain.