General
204 results found
-
Provide database dump for hashes of email address for offline download
This can be very useful for companies to verify if their users (non-staff) are affected by any breaches and inform them to not share password for different systems. I'm residing in EU, GDPR doesn't allow us to send email to your API to check if a particular email address appear in any breach.
1 voteThis would enable anyone to download everyone’s data. Hashes may be cracked which would allow for mass enumeration of emails in a breach. There is no provision in GDPR which prohibits an EU data subject from searching for their email address via the online service.
-
Any suggestions as to anything that can be done to fix any problems associated with these list.
Would like to see some suggestions as to how to repair/improv being victims of the instances you unveil.
1 voteAlready implemented.
-
small 'best of' download files instead of full 10 gb...
in one of the recent blogs from you or cloudflare, it is talked that basically it would be best to deny all passwords with a count > 100 and warn on password > 20. would it be possible to create download files just for these (i think) like 10 mil records (all > 20)? that would make it easier to create a local repository database with a workable download size and working count. ... and ignoring the rare passwords which make up the largest bucket of your collection.
1 voteYou can easily do this yourself by pulling down the entire data set then just extracting all records within the threshold you’ve chosen. I don’t want to publish multiple versions of the same data at different thresholds, this is a very subjective decision and it can easily be extracted from the existing data,
-
located source of a paste
I was informed that my email was on a paste AE4dYZG1.txt 6 Jan 2019 involving 3091 accounts.
The source of this breach is www.netpricedirect.co.uk.1 voteThank you. Closing here as it’s not a feature request.
-
I dont understand what to do
Everyone is very excited about this site. But honestly I am confused. I've received a message about my primary email address many times. But there's absolutely no action I can take based on that. Yes, good password hygene, yes, dont reuse passwords. But that's generic advice that I get without needing to be notified. What is the increment of information I get by receiving your email? I think that there is none. Can you help me understand your value?
1 voteUserVoice is used for ideas and feature requests. Assuming this is related to Collection #1, please see the discussion on this blog post and ask a question in the comments there if it isn’t already addressed in the post: https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/
-
send part of password hash per mail
since we have the recommendation of 'never entering a password on a website, unless it's the password field of the according website', i'd suggest to build an send by mail request form.
if you enter your email, you can choose to get those first 5 chars of all pwned password hashes to the entered email.
with this, you ensure, that only the pwned email addresses get their pwnge data... (which ofc won't help if the mail account itself has already been hijacked)this would help greatly, to check wich password may be leaked and need a change.
1 voteFor now, I remain adamant that storing even a part of a password against an email address presents an unacceptable risk for all. More: https://www.troyhunt.com/here-are-all-the-reasons-i-dont-make-passwords-available-via-have-i-been-pwned/
-
I want to use my own Password-Creation
Hello!
I lerned only two years English 1965 til 1967
(Ich lernte nur zwei Jahre englisch von 1965 bis 1967).Please translate 'pwned' in German - I cannot find in Google a german Word foŕ it (Bitte übersetzen Sie 'pwned' in deutsch - Bei Google finde ich keine Übersetzung für 'pwned').
Normally I use 'Startpage' instead of 'Google' (Normalerweise benutze ich 'Startpage' statt Google).
Thank You - Yours faithfully
Gerd Taddicken - GermanyTSA15Jan19, 18.34 h (UTC minus 1 hour?)
+++
1 voteMultilingual support is definitely not on the cards, it’s a very high overhead for both initial implementation and ongoing support.
-
I want to use my own Password-Creation 2
I want to use my own Password-Creation (II) without your service 'Free for 30 days'.
Thank you
Gerd TaddickenDeutsch: Ich möchte mein eigenes Passwort kreieren, generieren ohne ihr System ,30 Tage frei für das Passwort-System'.
TSA25Jan19, 18.38 h - Local time Germany)
+++
1 voteThis is not a feature suggestion.
-
consider social security numbers?
What potential is there to provide data on SSN that have been exposed in a breach? This seems much more borderline dangerous, but curious about of you've given any thought and the problems / possibilities you see.
1 voteAmerican social security numbers are considered sensitive personally identifiable information and I don’t intend to store them in HIBP.
-
Add searching by username
If leaks contain usernames and passwords, wouldn't it be important to be able to find out if one of your usernames has been compromised? Or do emails always accompany the passwords?
1 voteAssuming you mean usernames that are user-chosen strings as opposed to email addresses, this functionality existed in HIBP for a while but was later deprecated. Usernames in this form are not uniquely identifiable, often don’t exist at all (email addresses are used instead) and most importantly, can’t easily be parsed out of a large dump with a regex like email addresses can be. So in summary, low value and high effort.
-
More Info Needed
A community board for questions.
I'd like to know how my email was caught up in a breach on a website I never went to.1 voteThis is not a feature suggestion.
Refer to this blog post for answers to your question: https://www.troyhunt.com/why-am-i-in-a-data-breach-for-a-site-i-never-signed-up-for/
-
Allow User Submissions
Please allow users to submit pwnd passwords.
I just had Google notify me that someone tried to log in with my password from Java Indonesia, yet this password is not in the pwnd password list.
1 voteThere’s a whole world of problems with allowing individual self-submitted strings in this fashion. HIBP will remain focused on the larger incidents with bigger volumes of data.
-
Stop using google analytics for logging what's entered in the forms (when searching for a password or an email) - that's a privacy violation
Just stop using it!
1 voteGoogle Analytics does not log data entered into forms on HIBP.
-
Can I have my account show up normally- like no breaches found, since I opted out accidentally
Can I have my account show up normally- like no breaches found, since I opted out accidentally ?
I am not sure where to post this but I want it like that
1 voteAt this stage there is no option to un-opt-out. Furthermore, depending on how you opted-out your data may have been permanently deleted from the online system anyway.
-
api call
Hi i want to ask about API,
i try to call the API via $.ajax and send the hibp-api-key by header, i checked the hibp-api-key at RequestHeader and its correct
and i get this message in the console
readyState":0,"status":0,"statusText":"NetworkError: Failed to execute 'send' on 'XMLHttpRequest': Failed to loadcan you help me?
1 voteThis User Voice is for feature suggestions. If you’re trouble shooting your implementation, I suggest you try Stack Overflow.
-
Normalize all searches to lower case
I sometimes capitalize portions of my email address.
After checking the same email address twice - one time all lower case and another using some upper case - I got different results!1 voteAll email address searches are not case sensitive. If you’ve found an exception, please contact me privately with the address in question: https://www.troyhunt.com/contact/
-
Drop support for weak cipher suites
The Qualys SSL Server Test shows that haveibeenpwned.com supports weak cipher suites for TLS 1.2. Please drop support for these to make haveibeenpwned.com even more secure.
https://www.ssllabs.com/ssltest/analyze.html?d=haveibeenpwned.com1 voteTLS termination is done at Cloudflare and this is not a configurable attribute. It poses a minor risk hence the A+ SSL Labs rating HIBP receives.
-
Use certificates that specify OCSP Must-Staple
The Qualys SSL Server Test shows that haveibeenpwned.com uses certificates that do not specify OCSP Must-Staple. When you replace these certificates near their expiry date, please get certificates that specify OCSP Must-Staple. Scott Helme has a good article on why OCSP Must-Staple is important.
https://www.ssllabs.com/ssltest/analyze.html?d=haveibeenpwned.com
https://scotthelme.co.uk/ocsp-must-staple/1 voteTLS termination is done at Cloudflare and this is not a configurable attribute. It poses a minor risk hence the A+ SSL Labs rating HIBP receives.
-
Question: Does HIBP check user ids as well as email address?
Some websites use userids instead of email addresses. Are userids checked the same as email addresses?
1 voteNo.
-
Help - your search showed a password was in a breach. I got an email from a scammer quoting that password. How do I find out what sites it
Give specifics to help us delete the problem
1 voteThis User Voice is only for feature suggestions.
- Don't see your idea?