Security Researcher Troy Hunt is Open Sourcing the Have I Been Pwned Code Base

Security researcher Troy Hunt: Let me just cut straight to it: I'm going to open source the Have I Been Pwned code base. The decision has been a while coming and it took a failed M&A process to get here, but the code will be turned over to the public for the betterment of the project and frankly, for the betterment of everyone who uses it. Let me explain why and how.

Early leak

[Anonymous Coward]

It's just a static page that says "Yes you've been pwned"

Re:

[Impy the Impiuos Imp]

What an awesome name for a project. pwned is noob script kiddie speak.

Re:Early leak

[grep -v '.*' *]

It's just a static page that says "Yes you've been pwned"

Years ago (20 is a number) our boss was looking to buy a virus scanner product to alert the users if they had a virus. I offered to write it, for free -- to wit:

Virscan.bat:
@echo off
echo off
%ECHO_ON%

echo You have a virus!
:exit

She was not amused. (Actually she was, but we still bought McAfee.)

That was back in the days when I collected and stored viruses on floppies ... and I ended up with 2 entire bins of them. I basically treated the company as my own personal virus magnet.

Of course, I also wrote my own, but for some reason it didn't get much traction:

Virus.bat:
@echo off
echo off
%ECHO_ON%

copy virus.bat c:\
echo c:\virus.bat >> c:\autoexec.bat
echo Please insert a floppy and hit Enter.
pause
copy c:\virus.bat a:\
echo You have been infected.
echo Please remove the floppy, hand it to your neighbor, and have them run A:\Virus at their earliest convenience.
echo Thank you.
:exit

Re:

[GoRK]

Minimum viable feature. Push it

broken link in summary

[godrik]

The link in the summary is broken

Re:

[branmac]

Poetic justice since /.

A good slashdot summary...

[jellomizer]

A good Slashdot summary should have enough information for us to determine if we should read it or not. Not leave us hanging with some vague YouTube Thumbnail stater.

Re:

[deKernel]

You must be new to /. because we haven't had that for YEARS. These days we get at best poorly worded summaries and typically just plain misleading AND poorly worded.

Re:

[jellomizer]

I was going to say how low my User ID is compared to yours. Buy you have a much lower one than I. So yes I am still considered new here.

Transparency, share the work, Troy single failure

[raymorris]

Here is more information. Right now, the HIBP team is Troy. (Plus thr pwoppw who send him data). If Troy gets hit by a bus, the service goes away. That's not good.

He has selected someone to head it up, but it would be awfully hard for that one person to suddenly take over. HIPB now has APIs used by popular password managers and I think Firefox, so there is a lot of processing load and there is work to be done to support scaling. It's not just a MySQL database and a PHP script to submit a search, sitting on a server somewhere.

People submit information to HIPB, including submitting their email addresses to search to see of their passwords have been leaked. We trust Troy isn't harvesting those email addresses for a marketing list or anything like that. There are various elements of "we just have to trust Troy". Seeing the code makes it easier to trust. (Not that he couldn't secretly run a modified code base, but transparency helps).

It's also just too much work for one guy and he's *starting* to get a little burned out. Not that he's leaving any time soon, but he doesn't want to be the only person who can do any of the work, forever.

I've been programming in the security space for 20 years, ane constantly studying my craft for those 20 years. I'm qualified to help, I'm willing to help, but HIPB isn't set up to allow me to help.

For these reasons, he and a couple of trusted helpers are cleaning up his years of code to get it suitable for public release and maintenance.

Re:Better link for original article

[frith01]

url code didnt like the previous link

https://www.troyhunt.com/im-open-sourcing-the-have-i-been-pwned-code-base/ [troyhunt.com]

Troy Hunt

[Shaitan]

*tips hat* We salute you.

Let me explain why and how.

[fustakrakich]

The worst kind of click bait! Die! Die! Die!

More annoying than useful

[Octorian]

I hate to say it, but almost all of these sites/systems end up being far more annoying than useful. Why? Almost all the time, their alerts simply are not actionable. At best, they'll tell you that your username/email was included in a breach and often identify the breach itself by some nebulous data cache name that means nothing to you.

They almost never tell you which site was actually breached, nor do they ever give you any hints as to what password was actually compromised.

So really, when I show up in one of these alerts, I'm always asking myself:
- Was this a recent breach, or a redundant alert from something I dealt with months ago?
- What account do I actually need to update, if any, to be safe from this alert?

These questions almost never seem to be answered. As someone who uses a password manager and a different random password for every site, there's no way I'm going to proactively hunt down and change every single entry in its DB when I get the "alert of the week."

(FWIW, I once worked somewhere that somehow had access to a far better version of this data than they'll ever let the public get access to. That data actually did generate alerts that were actionable. I only wish I had a way to get useful alerts like that as a private individual.)

Check the site for the breach name (link)

[raymorris]

I can absolutely relate. I handle HIBP notifications for sveral thousand users, and there is indeed a step ij between getting the notification and taking action.

The alert should guve the name of the breach. Check this page for the "missing information" you mentioned:

https://haveibeenpwned.com/Pwn... [haveibeenpwned.com]

That will tell you which information was leaked, from where.

Re:

[Octorian]

The "name of the breach" is always the name of some aggregation of data or some backend service I've never heard of. It is almost never the name of an actual site I recognize or knowingly have an account with. Thus its useless and unactionable information.

That's what the link is for. Ctrl-f

[raymorris]

Click the link I gave you.
Press ctrl-f.
Enter the breach name. Click go.
There's thr name of the site, what information was taken, etc.

Re:

[kingbilly]

Might be different for free emails, but we signed our business domain up with HIBP and the alerts tell us exactly the usernames (if the username is an email address) that has shown up in a breach. Once alerted, we can download that list into one of the formats his site offers, and then take any action needed.
So there is that at least.
But yeah, outside of that I could understand the frustration.

Re:

[kingbilly]

Ah, I think I see what you mean. So, the email you get (at least we get) tells you what breach it is for. But when you request the list of which email addresses were in the breach, you get all the email addresses for your domain that were in ANY breach, which is just extra noise. And there is no way to know if it was the email address itself, or the password that was breached.

I could see how that is tough if 1) it isn't your own domain and 2) you re-use passwords and stuff.
Since we don't, this is still ve

Re:

[raymorris]

> . And there is no way to know if it was the email address itself, or the password that was breached.

This page tells you what information was in each breach.

https://haveibeenpwned.com/Pwn... [haveibeenpwned.com]

Re:

[Octorian]

Knowing the username/email involved in a breach is also useless and unactionable information. That's a piece of information that is essentially common to 90% of my accounts.

Unless I can actually find out the breached password (or a searchable fragment thereof) or the name of the actual site I knowingly have an account with, this information does me absolutely no good.