General
230 results found
-
I dont understand what to do
Everyone is very excited about this site. But honestly I am confused. I've received a message about my primary email address many times. But there's absolutely no action I can take based on that. Yes, good password hygene, yes, dont reuse passwords. But that's generic advice that I get without needing to be notified. What is the increment of information I get by receiving your email? I think that there is none. Can you help me understand your value?
1 voteUserVoice is used for ideas and feature requests. Assuming this is related to Collection #1, please see the discussion on this blog post and ask a question in the comments there if it isn’t already addressed in the post: https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/
-
send part of password hash per mail
since we have the recommendation of 'never entering a password on a website, unless it's the password field of the according website', i'd suggest to build an send by mail request form.
if you enter your email, you can choose to get those first 5 chars of all pwned password hashes to the entered email.
with this, you ensure, that only the pwned email addresses get their pwnge data... (which ofc won't help if the mail account itself has already been hijacked)this would help greatly, to check wich password may be leaked and need a change.
1 voteFor now, I remain adamant that storing even a part of a password against an email address presents an unacceptable risk for all. More: https://www.troyhunt.com/here-are-all-the-reasons-i-dont-make-passwords-available-via-have-i-been-pwned/
-
I want to use my own Password-Creation
Hello!
I lerned only two years English 1965 til 1967
(Ich lernte nur zwei Jahre englisch von 1965 bis 1967).Please translate 'pwned' in German - I cannot find in Google a german Word foŕ it (Bitte übersetzen Sie 'pwned' in deutsch - Bei Google finde ich keine Übersetzung für 'pwned').
Normally I use 'Startpage' instead of 'Google' (Normalerweise benutze ich 'Startpage' statt Google).
Thank You - Yours faithfully
Gerd Taddicken - GermanyTSA15Jan19, 18.34 h (UTC minus 1 hour?)
+++
1 voteMultilingual support is definitely not on the cards, it’s a very high overhead for both initial implementation and ongoing support.
-
I want to use my own Password-Creation 2
I want to use my own Password-Creation (II) without your service 'Free for 30 days'.
Thank you
Gerd TaddickenDeutsch: Ich möchte mein eigenes Passwort kreieren, generieren ohne ihr System ,30 Tage frei für das Passwort-System'.
TSA25Jan19, 18.38 h - Local time Germany)
+++
1 voteThis is not a feature suggestion.
-
Add searching by username
If leaks contain usernames and passwords, wouldn't it be important to be able to find out if one of your usernames has been compromised? Or do emails always accompany the passwords?
1 voteAssuming you mean usernames that are user-chosen strings as opposed to email addresses, this functionality existed in HIBP for a while but was later deprecated. Usernames in this form are not uniquely identifiable, often don’t exist at all (email addresses are used instead) and most importantly, can’t easily be parsed out of a large dump with a regex like email addresses can be. So in summary, low value and high effort.
-
More Info Needed
A community board for questions.
I'd like to know how my email was caught up in a breach on a website I never went to.1 voteThis is not a feature suggestion.
Refer to this blog post for answers to your question: https://www.troyhunt.com/why-am-i-in-a-data-breach-for-a-site-i-never-signed-up-for/
-
Allow User Submissions
Please allow users to submit pwnd passwords.
I just had Google notify me that someone tried to log in with my password from Java Indonesia, yet this password is not in the pwnd password list.
1 voteThere’s a whole world of problems with allowing individual self-submitted strings in this fashion. HIBP will remain focused on the larger incidents with bigger volumes of data.
-
Stop using google analytics for logging what's entered in the forms (when searching for a password or an email) - that's a privacy violation
Just stop using it!
1 voteGoogle Analytics does not log data entered into forms on HIBP.
-
Can I have my account show up normally- like no breaches found, since I opted out accidentally
Can I have my account show up normally- like no breaches found, since I opted out accidentally ?
I am not sure where to post this but I want it like that
1 voteAt this stage there is no option to un-opt-out. Furthermore, depending on how you opted-out your data may have been permanently deleted from the online system anyway.
-
api call
Hi i want to ask about API,
i try to call the API via $.ajax and send the hibp-api-key by header, i checked the hibp-api-key at RequestHeader and its correct
and i get this message in the console
readyState":0,"status":0,"statusText":"NetworkError: Failed to execute 'send' on 'XMLHttpRequest': Failed to loadcan you help me?
1 voteThis User Voice is for feature suggestions. If you’re trouble shooting your implementation, I suggest you try Stack Overflow.
-
Normalize all searches to lower case
I sometimes capitalize portions of my email address.
After checking the same email address twice - one time all lower case and another using some upper case - I got different results!1 voteAll email address searches are not case sensitive. If you’ve found an exception, please contact me privately with the address in question: https://www.troyhunt.com/contact/
-
Drop support for weak cipher suites
The Qualys SSL Server Test shows that haveibeenpwned.com supports weak cipher suites for TLS 1.2. Please drop support for these to make haveibeenpwned.com even more secure.
https://www.ssllabs.com/ssltest/analyze.html?d=haveibeenpwned.com1 voteTLS termination is done at Cloudflare and this is not a configurable attribute. It poses a minor risk hence the A+ SSL Labs rating HIBP receives.
-
Use certificates that specify OCSP Must-Staple
The Qualys SSL Server Test shows that haveibeenpwned.com uses certificates that do not specify OCSP Must-Staple. When you replace these certificates near their expiry date, please get certificates that specify OCSP Must-Staple. Scott Helme has a good article on why OCSP Must-Staple is important.
https://www.ssllabs.com/ssltest/analyze.html?d=haveibeenpwned.com
https://scotthelme.co.uk/ocsp-must-staple/1 voteTLS termination is done at Cloudflare and this is not a configurable attribute. It poses a minor risk hence the A+ SSL Labs rating HIBP receives.
-
Question: Does HIBP check user ids as well as email address?
Some websites use userids instead of email addresses. Are userids checked the same as email addresses?
1 voteNo.
-
Help - your search showed a password was in a breach. I got an email from a scammer quoting that password. How do I find out what sites it
Give specifics to help us delete the problem
1 voteThis User Voice is only for feature suggestions.
-
1 vote
Without information as to what benefit that would provide, I’m closing this off as “declined”.
-
How to opt-in again after opting-out? Please read :)
I have opt-out by removing my email addr from public search.
I thought by using an API key to search for my own email, I am able to retrieve my own breaches, but it was a 404.
How do I opt-in again or at least allow email address owners to search for their own breaches?
I think the language is not very clear on the opt-out page, thus leading to me buying the API key for nothing. I wasted $3.50
It says "You can still search your own address using the notification service that ensures you control the address before…
1 voteUserVoice is for suggesting new ideas so I’m marking this as “declined”.
Your address will only still be searchable by yourself if you choose the first option that simply removes it from public visibility. If you choose either the 2nd or 3rd option, the data is permanently deleted and no longer searchable by any means.
-
Fix the opt-out.
I was able to opt out public searches on 1 of 2 accounts. The second one I went through the steps and it now tells me I have opted out, however I am still able to look up the second email.
1 voteUserVoice is for suggesting new idea, not submitting bugs so I’m “declining” this one.
Feel free to get in touch personally and give me the email address you’re having problems with: https://www.troyhunt.com/contact/
-
Update with the Zoom data breach
Add the people whose account details were made available after using Zoom
1 voteClosing as “declined” given no evidence of a Zoom data breach nor nothing in the press.
-
question here... are non-user data not exposed?
what I want to ask is that... when those mailicious people gain access to a database, do they just go for emails and passwords? I am sure there are other data such as creation dates, private messages, ssn, interests and more, are these exposed as well? do the mailicious people strip out these info before posting online?
why your site and other similar sites not have data classes for these other info?
1 voteUserVoice is intended for feature suggestions, not general discussion.
- Don't see your idea?