Skip to content

General

← Customer feedback for Have I Been Pwned

I suggest you ...

You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

There are two ways to get more votes:

  • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
  • You can remove your votes from an open idea you support.
  • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

204 results found

  1. Allow users to search for an email address by hash rather than sending the email to the API in cleartext.

    Under the suspicion that submitted email addresses are being harvested, a privacy conscious user could feel safer checking for the presence of their email in the database by submitting a hash of it rather than the email address itself. I, for instance, have two email addresses: one which everyone knows, and one which very few people know. I'm very curious about the latter, but there's no way I'd enter it into any web form.

    47 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    3 comments  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    declined  ·  AdminTroy Hunt (CEO / Founder, Have I Been Pwned) responded

    I’m closing this out as “declined” for several reasons:

    1. Now with almost 5B records, there’s a very high chance I have the hash being searched already and if I have that, I know the plain text.
    2. It would lead to massive redundancy in the system, literally doubling the volume of data I store
    3. It would be very rarely used; the vast majority of requests come via the web app from consumers browsing to the site and yes, I could hash on the client, but then you have to trust HIBP is reliably doing that which bring me to the final point…
    4. …I would advise against sending an address to any service you don’t trust, regardless of the lengths I go to in ensuring searches aren’t recorded

    So in summary, a combination of high effort and low reward.

  2. Include credit cards as another search dimension

    As well as user accounts there seem to be a lot of credit cards being leaked. It would be interesting to add credit card numbers to the other search dimensions (username and email address).

    There are some security implications around uploading your credit card to hibp but hibp would not need to store it at all. One you had it hash it and also store the found numbers as a hash. It would then slide right into the existing partition/row key schema.

    If such a system could be implemented I would even consider it a service worth paying for. Perhaps…

    71 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    8 comments  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close

  3. Interpret all permutations of an email address (period seperations, +filters)

    Gmail will ignore periods in an email when it comes to rounding. So email@gmail.com and e.mail@gmail.com will both go to the same address. Someone might want to use the email because it lets them filter those messages from within Gmail.

    I tested it, and as of right now, haveibeenpwned sees them as seperate emails which may give users a false sense of security.

    Develop a way to find all permutations of an email based off of their filterless email address.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    declined  ·  2 comments  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close

  4. You are compromising the security of the people

    Regarding the recent Ledger data breach, anyone that types a compromised email address knows that he/she has a ledger wallet and crypto. You are leaking to everybody the same information leaked by the hackers and you are compromising the security of that person by revealing the email, exposing him or her to phishing attempts and even to physical risk if the person that performs the search knows the identity of the owner. This is a very serious issue. Please consider sending the results only by email at least for these most serious data breaches where there is physical risk for…

    0 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    0 comments  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
1 2 7 8 9 11 Next →
  • Don't see your idea?

General

Categories

Feedback and Knowledge Base

(thinking…)