Hello,

I'm using Have I been Pwned to find out unsealed email accounts and passwords for our company domain and I'm very pleased about this service.

But to make life easier I suggest the following service:
1) I sign in at Have I Been Pwned.
2) I type in and confirm all domains of my company
3) I define a text to inform my users about a possible problem, that their passwords are maybe lost.
4) I accept the actual status of unsealed account information as the base line
5) If new breaches of user accounts will occur Have I Been Pwned will send automatically an email with the pre defined text to only the users with the new possible problem.
6) In addition Have I Been Pwned remembers this status to make sure that users will only be informed in the case of new credential losses.

This will make sure that all of my users will be informed automatically, but only for new breaches and not for old ones.

And if Have I Been Pwned will send the emails from a defined IP, I can mark this emails as proved for my users.

Being responsible for security in a large company this will help me a lot and therefore I would be happy to pay for this kind of service and like to support this very good website and initative.

Thanks, have a nice day, Dirk

This would allow easy testing of code to properly handle a rate limit, without having developers intentionally exceed the rate limit in order to test.

https://api.pwnedpasswords.com/rate-limited/backoff
would return a 429 response with a Retry-After header with a a value = backoff. The backoff parameter is optional and if omitted you would return the default backoff seconds (2).

It is unclear whether the v2 api is rate limited. You state when describing the V2 API that it is not, but the section regarding rate limiting in the API docs does explicitly state that it doesn't apply to the V2 API. This suggestion is less useful if the rate limit does not affect the v2 API

TL;DR: Make domain-level notification (1) more obvious to find and (2) more salient in the registration form.

Feature not advertised in top bar labels

• "Home" promises e-mail one-time search,
• "Notify me" promises e-mail notification, not registration
• "Domain search" promises, well, one-time domain search.

I suggest you add either a separate label on top bar with a separate form. Or change existing "Domain search" into "Domain search+notification" (yes, it's longer, so see other suggestion below).

Feature not recognizable when found

On https://haveibeenpwned.com/DomainSearch there is only one salient title "Domain search / Search for pwned accounts across an entire domain". No title about "notification".

I suggest you, on https://haveibeenpwned.com/DomainSearch form:

• to add between the "Domain name" entry box and the "Would you like..." another sub-title (h1, h2, whatever) reading "Notify me domain-wide" or similar.
• to change the checkbox label to at least include the word "notification" or "notify", like "Subscribe me for domain-wide notification".

This would make the feature easier to find, which will improve your interesting service.

Thank you.

The chances for old email addresses to be listed in a breach is very high. After some decades of use the email address occurs in a breach with a hopefully old password and is used with new passwords currently.
Thus, it would be great if I could test if a specific username – password combination has been listed in a breach. As far as I understand the API this isn’t possible at the moment.
The relating email addresses could be returned after the number of breaches in the api.pwnedpasswords.com return value. This approach has the problem that foreign email addresses are send back to other people.
Therefore, a reverse k-Anonymity model approach could be applied and only the first 5 digits of the email addresses hash should be returned. The hash part could then be compared to hashes of known email address by the client. This would allow the client to identify username – password combinations with the api.pwnedpasswords.com without ever sending passwords and usernames.
Yours, Marcus