While Have I been Pwned is making available its password codebase to GitHub, the data that powers Pwned Passwords is already available in the public domain via the downloadable hash sets. And there is also a promise to open source the codebase for monitoring emails and phone numbers in data breaches in the near future.
Troy Hunt, the creator of have I been Pwned, made the decision to make the entire project open source last year, and it's still something that will take some time.
What does Open Sourcing Pwned Passwords actually mean?
Pwned Passwords going open source is a pretty straightforward move which which means that anybody can run their own Pwned Passwords instance if they so choose.
Also, it will encourage greater adoption of the service both due to the confidence that people can also "roll their own" if they choose and the transparency that opening the code base brings with it. And as it's entirely non-commercial without any Enterprise services or API costs like other parts of HIBP, it requires community efforts to thrive.
The .NET Foundation has been saddled with the responsibility of managing the open source project, establishing the licencing model, coordinating where the community invests effort, redesign the release process and take contributions. Above all, Pwned Passwords needs to be successful is aggregating fresh passwords as they become compromised, and this is where the FBI comes in, as the FBI is involved in all manner of digital investigations.
What the FBI brings to open-sourced Pwned Passwords?
The FBI plays a major role in the combating of bad actors, from ransomware to child abuse to terrorism and in the course of their investigations, they are bound to come across compromised passwords.
So, the FBI is provided an avenue to feed compromised passwords into HIBP and surface them via the Pwned Passwords feature. The compromised passwords will be provided in SHA-1 and NTLM hash pairs which perfectly aligns with the current storage constructs in Pwned Passwords, not available in plain text.
The overall goal here is to protect people from account takeovers by proactively warning them when their password has been compromised.