General

  1. Being able to clear the history of breaches.

    I would love to be able to clear the breached websites that my email adress has. I think this would be a great addition to the opt-out feature.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  2. Cannot do payments from debit card for one time.

    You should add debit cards also in payment and upi.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  3. Provide further evidence to validate how secure this site is

    Given the fact a lot of users who come to this site may already be "super" worried about putting their email address "anywhere" online due to the fact they will have come to this site pretty much following a data breach story and / or because their own account has been compromised, without giving too much away to those that like to hack, would very much appreciate a way in which you could prove an email address is not stored for a user to feel relieved / happy they can use your site confidently and enter an email address.

    I…

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  4. Please. could you explain whats the meaning of "pwned" in English?, because y cant't find it in any english dictionary.

    Please. could you explain whats the meaning of "pwned" in English?, because y cant't find it in any english dictionary.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  5. Opt-in / Change opt-out type

    It would be great to add opt-in / change opt-out type after user opted-out. For example, I started using 1password, so I would like to switch from "visible just to me" to "delete all previous breaches" so that I can get notification in 1password, resolve it and then "delete all breaches" again.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  6. Allow CSIRTs to be able to monitor their constituents domains

    CSIRTs use to monitor their customers domains in order to warn them about potential breaches, vulnerabilities and incidents related to them. It should be good to allow CSIRTs covering a large constituency (like national CSIRT, industry CSIRTs, Academic CSIRTs) to be able to monitor their constituents domains by accessing the info in a convenient way (by signing, for example, an NDA, compromise, etc)

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  7. V5 files contain seeded hashes?

    The latest V5 password files sorted by hash come up negative with all tested passwords. It looks like the hashes are seeded or non-standard. This applies to both SHA1 and NTLM files of version V5.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    completed  ·  12 comments  ·  Flag idea as inappropriate…  ·  Admin →
  8. 3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  9. Fix "Pwned Passwords" Two APIs Sentence in Documentation

    Please remove "It's also queryable via the following two APIs:" from https://haveibeenpwned.com/API/v3#PwnedPasswords please as the first API is deprecated?

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  10. haveibeenpwned.com/api

    I now get this"You have been blocked from accessing this resource on Have I Been Pwned" when using the URI for account checking. I tried it on 3 systems (IPs) and get the same result

    https://haveibeenpwned.com/api/v2/breachedaccount/test@test.com?truncateResponse=true

    Is this because of the test@test.com?

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  11. Allow viewing of one pwned website at once

    On the Pwned Websites list (https://haveibeenpwned.com/PwnedWebsites), there is no way to link to a specific site. This could be done easily in two ways:

    1) Give each pwned website its own page (e.g. https://haveibeenpwned.com/PwnedWebsites/Verifications-IO) that just gives that website's description.

    2) Add an anchor link to each pwned website's header so we can deep-link directly to one site.

    Ideally both could be done, and should be relatively easy (I think).

    The reason I want this is that I monitor our corporate network for any corporate accounts that are included in breaches, and let people know about them.…

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →

    So this was always possible (each breach has an anchor that can be linked to), but there wasn’t an easily clickable reference. I’ve just added a permalink under each breach description which should make this easier. It’s now deploying, let that finish and allow cache to flush and it’ll be good.

  12. Add support for NTLM(MD4) hashes to enable Active Directory auditing

    I wanted to use the list to check existing Active Directory (AD) passwords against this wonderful HIBP list, but the problem is that neither the API nor the offline list support MD4 hashes (AKA NT one-way function or NTLM hash) that are stored in AD databases (together with salted SHA1 and MD5, which therefore cannot be precomputed).

    Would it please be possible to also add support for this (weaker) type of hashes? It would be great to have them available at least through the API and ideally also in a downloadable form.

    30 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  13. 51 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  14. Have a FAQ that explains breached passwords to users in easy to understand language

    It would be nice if we had a FAQ that we could link to when checking a password against hipb, when a password is found in the list to explain to users what this means in simple terms. E.g. The password you've chosen was found in a list of passwords that have been hacked from a website in the past. We highly recommend not using such a password anywhere because it means that your account's security is extremely weakend. For more information, please read [some more detailed FAQ]

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  15. Add potential causes for the 503 response.

    A 503 response is given for a single query to the breached account api, but not the pwnedpassword api.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  16. Fix this bug: Different results of same e-mail

    When I check my e-mail using the website https://haveibeenpwned.com/ it shows "Good news — no pwnage found!".

    Then I clicked on "Notify me when I get pwned". I received an e-mail with an URL to confirm and, when I click this url, it opens the same site showing "Already verified" but right below "Oh no — pwned!" with one specific site that makes sense.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  17. Use javascript front-end that converts password to hash on client before sending across web

    To mitigate the risk of sending passwords as straight text over the web to your site, could you not have client-side javascript that converts the password to the SHA1 hash and send the hash to be checked?

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  18. Add a link to the site explaining what to do when you are a victim of data breach.

    My email address poped up as being part of a breach. What are the next steps?
    * void the respective accounts?
    * Just change the password?
    * Other options?

    It would be nice just to have a link to some mitigation actions for present and also for the future.

    Thanks for the effort put on this site

    97 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    6 comments  ·  Flag idea as inappropriate…  ·  Admin →
  19. Add a FAQ explaining what it means when a USERNAME that IS an e-mail address, appears on a Web site that you have never used.

    There is a FAQ explaining that a non-email userid can appear as a breach from a site that you have never used, because of collisions (others reusing the same e-mail address). I have an e-mail address that I have used for 20 years, which shows up in the MYSPACE and also the BITTORRENT FORUM breaches. I have never used either of these sites. A FAQ saying how this is possible would be welcomed.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  20. 6 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1
  • Don't see your idea?

General

Categories

Feedback and Knowledge Base