Have I Been Pwned, a website that allows users to check whether their emails and passwords have been compromised in an information breach (and if so, how many times), has partnered with the U.S. Federal Bureau of Investigation to add leaked credentials to its database in a more timely manner. The site is also being made open source.

The HIBP site is an Internet gem. Launched by Troy Hunt, a web security consultant and member of Microsoft's Regional Director Program (he is not a Microsoft employee), it was created in 2013 when an Adobe security breach exposed 150 million accounts' He was inspired to launch the service after Adobe suffered a security breach in 2013 that exposed the login credentials of 150 million accounts.

HIBP has two components, one for emails and one for passwords. The records of the more than 154 million accounts that were compromised reside in Windows Azure table storage, where users can review them individually. As dangerous as it sounds, passwords are not stored next to personally identifiable information (like emails) and are encrypted by SHA-1 (Secure Hash Algorithm 1).

In a blog post, Hunt explained that the FBI contacted him about creating a way to send the compromised passwords directly to HIBP. According to Hunt, the FBI's goal is "perfectly aligned" with his goal of proactively alerting him when his account has been compromised (users can voluntarily sign up to receive notifications when a breach related to their email address is detected), and they are now working to make it happen The two companies are working together to make this happen. According to Hunt, the FBI sends compromised passwords to this service nearly one billion times each month.

"We are pleased to partner with HIBP on this important project to protect victims of online credential theft. This is another example of how important public-private partnerships are in the fight against cybercrime," said Brian A. Borndran, Deputy Director of the FBI Cyber Division.

The passwords that the FBI enters directly into the HIBP are not in plain text, but are entered into the HIBP as SHA-1 and NTLM hash pairs. The key here, however, is for users to be alerted more quickly if and when their accounts are compromised in a data breach.

"Such information is taken into the system as it is provided by the bureau, and obviously there is both a constant pace and volume that varies depending on the nature of the investigation the bureau is involved in," says Hunt. The key is to ensure that the data flows into the HIBP and that the intake channels are available to consumers as quickly as possible to maximize its value."

Collaborating on direct feeds is the next logical step: the FBI recently provided Hunt with more than 4.3 million compromised e-mail addresses it obtained when it took down the Emotet botnet in January. Creating a direct line means that the FBI will be able to do this sort of thing more quickly in the future.

Hunt also announced that HIBP is now open source through the .NET Foundation. He said this is the right move for the longevity of the project and ensures a more sustainable future, rather than making the service solely dependent on itself. It is also important for transparency purposes.

"Releasing the code goes a long way toward addressing concerns people have about the way the service operates. For example, people often wonder if I am recording searches to build a new list of email addresses," Hunt explained in a previous blog post. No, I am not, but for now, that assertion effectively boils down to "trust me." Showing the code (the actual code) and proving that it is not logged is a completely different proposition," Hunt said.

Both of these are welcome announcements and ensure that HIBP will remain a relevant and useful service for a long time to come.