General

  1. Search for non decrypted passwords

    As we can download both SHA-1 and NTLM password list, I suppose this list concerns only decrypted passwords that have been re encrypted with SHA-1 and NTLM.

    So what about non decrypted passwords ?

    I can see a lot of breaches where (fortunally) only the digest has been pwned and the digest algorithm is known.

    Are there databases of encrypted passwords with their digest algorithm waiting to be decrypted ?

    If yes it could be a nice feature to test passwords against all these databases using the corresponding algorithm...

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →

    There are multiple problems with this:

    Firstly, passwords are almost never encrypted, they’re hashed. If they are encrypted then without the private key you really can’t verify the password by any means.

    Secondly, when hashed, they’re almost always salted as well so just knowing the algorithm used isn’t sufficient for a password hash provided by a user to be verified, I’d have to provide the salt used as well. That would mean storing that in a way that could be retrieved for that user which amounts to needing credential pairs which is too risky for my comfort.

    Thirdly, it’s a very niche audience that could use this, namely people technical enough to hash their own password (with the salt, if needed) and then pass it back to the service.

    In short, it’s high effort, high risk and low value given the niche nature of it.

  2. Add FalixNodes.net

    There was recently a security breach on FalixNodes, this includes all passwords to the Game Panel, which were all eventfully reset by the owner of FalixNodes.

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  3. Password List Version Diff

    Any way to publish just an NTLM and SHA-1 differential file on the next release of the password list? This would greatly help when importing the list into SQL so as not to require a full re-import of any newly published password lists.

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  4. Opt out till next breach

    I saw a breach on my email, I've strengthen the security, logout services and stuff.
    I would like to opt out now. And come in a later date and see if have new breaches.

    Because this way, I can rest that my new security changes are working, instead of doesn't matter if strengthen the security or not, I still see the breach result

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  5. Offer a service to wipe a person's breached info

    Offer a service that can wipe clean a person's exposed information that has been breached.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  6. 3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  7. md5 password check

    be able to lookup if your password exists in a breach by entering an md5 of your password rather than the actual password.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  8. Email reminders for varification

    After the second or third reminder the last one does not contain the email address any more in the text. My improvement: Add the mail address as in the other reminders for a better UX.

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  9. Premium subscription

    A premium API subscription that would allow domain search and show actual passwords would be awesome. This is already available online from multiple vendors but costs that are just too high.

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  10. Allow incremental hashes for those of us who are not permitted to use the API

    Different organizations have different security postures. Your list of hashes may be transferred into secure systems in text format where they are processed in order to match against internal password databases.

    Unfortunately, despite the k-anonymity interface, exfiltrating even a partial password hash is forbidden. Given this use case, I believe it would be advantageous to provide incremental hash lists for every addition made to the database between major releases of the complete list. Daily, or even weekly would be good.

    The objective would be to notify users immediately if the hash of their current password is ever added to the…

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →

    Deltas are infeasible because it’s not just new hashes being added, it’s the counts on existing ones changing too. Best bet is to either load the complete hash set or use the public API. I understand different security postures with regards to using the API, but this is why it implements k-anonymity which there shouldn’t be a practical barrier against using, at least not from a privacy perspective.

  11. Notify me of specific site breaches?

    I'd imagine I'm not the first to ask about this but can't see it listed. If I have an account with a site, say the BBC site, can I sign up to be informed of confirmed data breaches even if my particular email address is not in a set of compromised data? Apologies if this already addressed - point me to it.

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →

    This would effectively amount to a per-individual corpus of sites to be monitored which really isn’t something I want to maintain in HIBP. If you have an account with the service and you’re subscribed to notifications, you’ll be notified anyway if it appears in a breach.

  12. Fix Email verification

    FIx your email verification process. Years back people reporting that emails are not received, IT people watching their email logs confirming nothing is received from your site. Today I am in same boat yesterday and today been trying check email logs at smart host/filter and O365 and neither has any sign of your verification email. There is an issue unfixed you need to resolve.

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  13. I suggest to implement an email verification that is necessary to get to know whether the email adress one typed in has been pawned or not.

    By getting the information on whether an email address has been pawned without verification whether it's mine or not it is easy for everyone to check really quickly whether the email addresses one has from people around is worth trying to hack. One doesn't have to check the list. This site is doing that for one.

    4 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Flag idea as inappropriate…  ·  Admin →
  14. Send me the data, not just the site name

    When you find my email in a breached site and on a list somewhere where you say that my email and password were found, send me the details (i.e. the password or hashed password) so I can decide whether I need to change my password. I use a different password at every site. So knowing more than just my email was found a list would be useful.

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  15. Remove password which is pwned on small and don't see in long time.

    First time i have check my password, it was not pwned.
    Second time, just after first time some days, it was pwned with "seen 1 time before".
    This is no problem until now, but when github start using your api to check password and force i give up my good password!
    So please remove password which "seen 1 time before", or at least make a feature that auto remove password from your database if it is not pwned or less pwned in long time.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  16. Add incremental updates to the PWNd password data sets

    While it wouldn't preserve order, generally, it would greatly reduce the burden on people downloading those data sets for their own use. It has the potential to drastically reduce the bandwidth costs for the system as users would likely download the bulk of the set just once and then get the updates thereafter.

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  17. 1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  18. Give us if our email is likely to be pasted.

    We should be told if a hacker can still access our email or paste it. We should be told that once we receive our results,

    2 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  19. Describe why a search of an e-mail address using the form and API return different results

    If I search for my work e-mail address on the web page, I get no results. However, if I search for my work e-mail address with the API I get two results.
    Why is this different?
    I am suspecting that the lack of passwords in the breach constitutes not being pwned?

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  20. Allow users to login and mark breaches they dealt with

    My data was in the 500px breach. Every time I check for breaches against my email address on HIBP, this comes up. I use random passwords so I am not concerned about the leak, but I do make sure to change passwords once I am notified of a leak. Once the list of breaches becomes long enough, I may not remember whether I have dealt with a specific issue reported. It would be good to have a mode where I can log in and check the issues that I have dealt with, so the next time I login and check…

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

General

Categories

Feedback and Knowledge Base