General

  1. V5 files contain seeded hashes?

    The latest V5 password files sorted by hash come up negative with all tested passwords. It looks like the hashes are seeded or non-standard. This applies to both SHA1 and NTLM files of version V5.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    completed  ·  12 comments  ·  Flag idea as inappropriate…  ·  Admin →
  2. 3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  3. Fix "Pwned Passwords" Two APIs Sentence in Documentation

    Please remove "It's also queryable via the following two APIs:" from https://haveibeenpwned.com/API/v3#PwnedPasswords please as the first API is deprecated?

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  4. haveibeenpwned.com/api

    I now get this"You have been blocked from accessing this resource on Have I Been Pwned" when using the URI for account checking. I tried it on 3 systems (IPs) and get the same result

    https://haveibeenpwned.com/api/v2/breachedaccount/test@test.com?truncateResponse=true

    Is this because of the test@test.com?

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  5. Allow viewing of one pwned website at once

    On the Pwned Websites list (https://haveibeenpwned.com/PwnedWebsites), there is no way to link to a specific site. This could be done easily in two ways:

    1) Give each pwned website its own page (e.g. https://haveibeenpwned.com/PwnedWebsites/Verifications-IO) that just gives that website's description.

    2) Add an anchor link to each pwned website's header so we can deep-link directly to one site.

    Ideally both could be done, and should be relatively easy (I think).

    The reason I want this is that I monitor our corporate network for any corporate accounts that are included in breaches, and let people know about them.…

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →

    So this was always possible (each breach has an anchor that can be linked to), but there wasn’t an easily clickable reference. I’ve just added a permalink under each breach description which should make this easier. It’s now deploying, let that finish and allow cache to flush and it’ll be good.

  6. Add support for NTLM(MD4) hashes to enable Active Directory auditing

    I wanted to use the list to check existing Active Directory (AD) passwords against this wonderful HIBP list, but the problem is that neither the API nor the offline list support MD4 hashes (AKA NT one-way function or NTLM hash) that are stored in AD databases (together with salted SHA1 and MD5, which therefore cannot be precomputed).

    Would it please be possible to also add support for this (weaker) type of hashes? It would be great to have them available at least through the API and ideally also in a downloadable form.

    30 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  7. 51 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  8. Have a FAQ that explains breached passwords to users in easy to understand language

    It would be nice if we had a FAQ that we could link to when checking a password against hipb, when a password is found in the list to explain to users what this means in simple terms. E.g. The password you've chosen was found in a list of passwords that have been hacked from a website in the past. We highly recommend not using such a password anywhere because it means that your account's security is extremely weakend. For more information, please read [some more detailed FAQ]

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  9. Add potential causes for the 503 response.

    A 503 response is given for a single query to the breached account api, but not the pwnedpassword api.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  10. Fix this bug: Different results of same e-mail

    When I check my e-mail using the website https://haveibeenpwned.com/ it shows "Good news — no pwnage found!".

    Then I clicked on "Notify me when I get pwned". I received an e-mail with an URL to confirm and, when I click this url, it opens the same site showing "Already verified" but right below "Oh no — pwned!" with one specific site that makes sense.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  11. Use javascript front-end that converts password to hash on client before sending across web

    To mitigate the risk of sending passwords as straight text over the web to your site, could you not have client-side javascript that converts the password to the SHA1 hash and send the hash to be checked?

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  12. Add a link to the site explaining what to do when you are a victim of data breach.

    My email address poped up as being part of a breach. What are the next steps?
    * void the respective accounts?
    * Just change the password?
    * Other options?

    It would be nice just to have a link to some mitigation actions for present and also for the future.

    Thanks for the effort put on this site

    97 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    6 comments  ·  Flag idea as inappropriate…  ·  Admin →
  13. Add a FAQ explaining what it means when a USERNAME that IS an e-mail address, appears on a Web site that you have never used.

    There is a FAQ explaining that a non-email userid can appear as a breach from a site that you have never used, because of collisions (others reusing the same e-mail address). I have an e-mail address that I have used for 20 years, which shows up in the MYSPACE and also the BITTORRENT FORUM breaches. I have never used either of these sites. A FAQ saying how this is possible would be welcomed.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  14. 6 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  15. Explicitly state the email address that the notification is referring to.

    If you're forwarding emails from a bunch of other addresses it can be awkward to work out which address is involved in the breach. Explicitly stating the email address in the notification would make this easier.

    8 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  16. API option to only return whether an account is breached or not

    At the moment when querying an email address, the names of the sites breached are returned, in some circumstances this may not be desirable due to local legislation. Is it possible to have an API option to return whether an account has been involved in a breach or not rather than names of breached services?

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    completed  ·  1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  17. Include email address in email correspondance when registering

    I have registered several email addresses that I own and that results in a registration email and summary page for each one.

    It's not possible to see in the email body, or on the summary page, which email address they belong to. This is especially tricky with my Exchange inbox which has several email aliases.

    13 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  18. Don't Just Tell Me That SOMEONE In My Domain Has Been Pwn3d, Tell Me Who

    I got an email, this morning, from HIBP, that someone on one of my domains had their account hit in the linkedIn hack, but the address was not listed in the email. It would be nice to know who that was, instead of having to test every single address in this domain to find out.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  19. Allow users to remove entries associated with their email address from the database

    Or give folks the option to hide their own results from the larger public. As currently configured, the site makes information that is otherwise only available on the darkweb (e.g., saliently, that you were an AdultFriendFinder user) readily accessible to anybody with an internet connection.

    This would only really make sense for pwned email addresses, since there would be no easy way to prove you are the owner of a given account otherwise.

    64 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    11 comments  ·  Flag idea as inappropriate…  ·  Admin →
  20. Add sprashivai.ru breach

    Website with questions with high popularity in Russia 'sprashivai.ru' (clone of formspring.me and so on) has been breached recently.

    https://vk.com/wall6492_5205 (in russian)
    http://tjournal.ru/p/sprashivairu-passwords-leak (in russian)

    (I don't know where to get data)

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1
  • Don't see your idea?

General

Categories

Feedback and Knowledge Base