HIBP – Code Base now becomes Open Source

HIBP – Code Base now becomes Open Source

The well-known website have i been pwned (HIBP) is now becoming open source. On this website people can check if an email address has been in a public data theft. Founder Troy Hunt announced on his personal blog in early August that the code that lies within this project will be published step by step.

HIBP should not be forgotten

Troy Hunt refers in his blog post to a Twitter post by Junade Ali. This post explains that the password manager Last Pass now uses an API interface to automatically notify users when a used account is involved in a data theft.


The k-anonymity mentioned in the Twitter post above is an idea Junade has implemented Pwned passwords for according to Troy Hunt, for whom HIBP Pwned has implemented passwords. This part of the program is now also used in other apps and programs, some of which are open source.

Troy Hunt now sees the only logical step in making the code base of HIBP open source. This step would go hand in hand with the philosophy of HIBP, because until now HIBP was supposed to help the community, from now on the community is supposed to help HIBP.

Troy Hunt says one reason for this step is that he gets a lot of good ideas for the HIBP project, but he can’t do it alone. In order for HIBP to continue to be used, it must implement new ideas and features, and Troy Hunt can’t do that without making the project open source. This allows anyone who has an idea to implement it on their own and develop more ideas with the community.

Another reason that was mentioned is that HIBP was already open source for the most part. There are 128 blog posts on the website of Troy Hunt that deal solely with the functioning of the website. By releasing the code base, Troy Hunt wants to show that he didn’t hide anything or use a “secret sauce”.

In summary, Troy Hunt says that more and more Open Source is becoming and supports this step of development. HIBP is a project that fits the open source mentality, so this is the only logical step.

HIBP search
Whether Troy Hunt will log the input will be seen when the code base is released.

It is still a long way until HIBP is Open Source

The goal that HIBP becomes completely open source is clearly set and is now being tried to achieve. Troy Hunt writes, however, that this step cannot be taken overnight. This is because the software is simply not ready to be released completely. The development of HIBP 2013 has started in the Philippines. In the past 7 years Troy Hunt has programmed this website almost alone.

Every developer knows that a program that is only maintained by one person contains many things that are not suitable for a public project. These include comments that contain sensitive information, but also features that are not used at all, etc. If you are the only programmer, you can live well with such “bugs”, but before the project is published, these bugs should be removed.

In order for this to happen as quickly as possible, Troy Hunt has enlisted the help of colleagues who are experts in various fields and have experience with open source projects.

Photo of author

Chris Wojzechowski

Mein Name ist Chris Wojzechowski und ich habe vor wenigen Jahren meinen Master in Internet-Sicherheit in Gelsenkirchen studiert. Ich bin geschäftsführender Gesellschafter der AWARE7 GmbH und ausgebildeter IT-Risk Manager, IT-Grundschutz Praktiker (TÜV) und besitze die Prüfverfahrenskompetenz für § 8a BSIG. Unser Brot und Buttergeschäft ist die Durchführung von Penetrationstests. Wir setzen uns darüber hinaus für ein breites Verständnis für IT-Sicherheit in Europa ein und bieten aus diesem Grund den Großteil unserer Produkte kostenfrei an.