Ever notice how there was a massive gap of almost 9 months between announcing the intention to start open sourcing Have I Been Pwned (HIBP) in August last year and then finally a couple of weeks ago, actually taking the first step with Pwned Passwords? Many people certainly noticed the time because I kept getting asked when it was actually going to happen. With the best of intentions, people wondered why I hadn't just done it already because hey, this was going to make my life easier, right? Uh, no.

Along with a heap of other moving parts I needed to get on top of before starting to open up code, one thing that kept me up at night was how I'd coordinate the community and the time commitment it would require. How much code would I be reviewing? How would I align people around building out features? How would I find time to modernise the deployment model? I'll be honest - I was worried how much additional work this would create - but that hasn't ever stopped me in the past 😊

My hope was that there would be those in the community that really picked this project up with gusto and didn't just contribute code but would also want to play a more active role in driving Pwned Passwords towards the vision I had for the project. I was pretty excited when I saw PRs coming in right after launching that last blog post. Code enhancements. Tests. Framework updates. New features. It was all there! I'd kinda expected all that if things went well, but what exceeded my expectations was the code review of other people's code, primarily the reviews done by my friend Stefán Jökull Sigurðarson. Which is why I've asked him to help me out a bit more.

I'll back up a little: I've known Stefán for years, primarily via the work he's done integrating Pwned Passwords into the massively popular game, EVE Online. You see, Stefán works for CCP Games in Reykjavík and he was instrumental in making them the first major consumer of Pwned Passwords using the k-anonymity model more than 3 years ago now:

WIP: Helping our @EveOnline players to be aware if their passwords are on a list of known compromised passwords. Thanks @haveibeenpwned ! CC: @troyhunt #tweetfleet #security #workinprogress pic.twitter.com/miovu6g25q

— Stefán Jökull Sigurðarson - CCP Ghostrider (@stebets) April 27, 2018

This was great work and Stefán very generously shared a heap of information about the things they learned from blocking the world's worst passwords in various blog posts. He also became a speaker at several NDC events around the world (remember when we used to go around the world?), a conference series I've had a very long, close affinity with:

Want to protect your accounts like @EveOnline does? Check out @stebets talk from @NDC_Conferences about how they use @haveibeenpwned’s Pwned Passwords: pic.twitter.com/9XJ6HJltcO

— Troy Hunt (@troyhunt) November 8, 2019

And finally, in recognition of his many community contributions, Stefán received his first Microsoft MVP award in November:

Honored and humbled to receive my first Microsoft MVP award! Thank you to everyone who has inspired and supported me along the way. #mvpbuzz pic.twitter.com/TKUpyjBgFz

— Stefán Jökull Sigurðarson - CCP Ghostrider (@stebets) November 1, 2020

The point of all this is to say that I can't think of anyone that has been more closely involved with Pwned Passwords since the very early days and contributed more to the community than Stefán. (Special recognition for a moment to Junade Ali, previously of Cloudflare, who actually implemented the Pwned Password k-anonymity model in the first place!) I hadn't even thought about Stefán's role with the project until I saw all the contributions he was making to the open sourced code base and then it totally hit me - this is who I want playing a more active role in the project. So I asked him, and he said yes.

To be clear, this is a voluntary role and the main reason I'm here writing this blog post is for complete transparency and so that when someone other than me starts approving PRs, everyone knows why. I do plan on sending Stefán some stickers and probably some of those cool 3D printed HIBP logos as well, but other than that he's just doing this for the love. I'm enormously grateful for him volunteering his time on this project and I hope CCP is donating some of his cycles as they continue to enjoy this totally free community-driven project 😊

Over time, HIBP needs to become self-sustaining and not solely dependent on me. It has become an increasingly important piece of the fabric of the web and as I've always (half) joked, one bad jet ski accident right now and it all comes crashing down. This is a huge part of why I've headed down the open source route and an equally huge part of why Stefán is now helping out. Over time, I expect there'll be more contributors playing roles that are pivotal to the sustainability of what I hope always remains a pet project, albeit one with a little more help from my friends. Thank you to everyone who has contributed so far and to everyone who'll step forward in the future.