General
187 results found
-
Add credentials API (to check against strong hashes)
HIBP unlike other services like enzoic does not yet provide a way to find matches if the breach data contains medium to strong protected passwords.
To make that passwords searchable without cracking them the API needs to accept the username as input and returns a list of hashes together with meta information e.g. salt and hash algorithm. The client can then for all results use the provided hash algorithm for the password and compare it with the hash from the API result.
security notes:
1. you may want to add a second hash algorithm on top to avoid storing passwords…1 voteThe protection level of the password is not an area I want to get into as it leads to (often incorrect) assumptions about whether a breached password is suitable for use. There’s also no need to increase the strength of the hashing algorithm as it’s only designed to obfuscate the PII that appears in some records.
-
Showing results via Mail
I think it is a matter of privacy what services (that were breached) I used. This site allows me to type in any e-mail I know and to verify whether or not the person did use a special service. It might seem that this information is not too big of a deal, still I'd consider it private. So my suggestion is that the services only sends back a link to the email that shall be checked and provides the results there.
14 votesThe reasons for the current approach are detailed in this blog post: https://www.troyhunt.com/the-ethics-of-running-a-data-breach-search-service/
-
Document IP addresses and stability for API
Using your API from our environment requires that we update our network egress rules to allow us to reach you.
I can easily see what IP addresses you're using now, but I can't tell how likely these are to change.
Having this documented would help us make better decisions about how - or whether - to use your API.
tia
1 voteI wouldn’t put any rules in place based on IP, just use the domain name(s).
-
Add doxbin.org paste
I search on doxbin.org some email accounts and then i search on haveibeenpwned.org, but it isn't find the paste.
6 votesThis is not a feature suggestion.
-
Add more phone number and email breach
Please add more email and phone number breach. I search on "keepersecurity" and "nortonlifelock email and phone number dark web monitoring" say to me that there is more breach.
6 votesNo plans to do that for the reasons mentioned here: https://www.troyhunt.com/the-facebook-phone-numbers-are-now-searchable-in-have-i-been-pwned/
-
There was an attack on the website https://www.yemeksepeti.com
- Name-surname, date of birth
- Telephone numbers registered with Yemeksepeti
- E-mail registered with Yemeksepeti
- Address information registered with Yemeksepeti
- Masked login passwords with SHA-256 algorithm that are not clearly visible it was stolen. You must add it to this site.
6 votesThis User Voice is for suggesting features for HIBP. If you have data from a new breach, please get in touch with me directly: https://www.troyhunt.com/contact/
-
improvements to domain search for bigger companies
At thousands of employees, the usability of the domain search falls off a cliff. Here's some of the problems I'm seeing and what would improve my usecase significantly.
problems:
1) email and personal data leaks are a spam/phish/identity problem: password leaks are a direct attack liability
2) company has been around for a decade, thousands of employees, list of leaks and affected users by any of the leaks is long and unwieldy
3) constantly investigating users that are no longer activepotential improvements:
1) focus on password leaks as a higher level of leak than just email and/or personal data…3 votesThis really goes beyond the purpose of HIBP and starts to get into the internal triage processes of your organisation. The intention is to provide the data as I’ve been able to obtain it then the consumer works out what to do with it; which ones are serious (it differs by org), which addresses are still relevant (definitely not something I want to track), and what actions have been taken for an individual breach. APIs exist for you to handle this in conjunction with the domain search.
-
Create or Develop an App for this website name as app name called "Have I Been pwned?/HIBP"
Make it easier to trace in phone if someone is trying to pwned you by opening the App, then boom you know quickly already the updates about your account.
3 votesJust bookmark this page (change the address accordingly): https://haveibeenpwned.com/account/test@example.com
-
How to Delete reported pwnage: Good news and Bad ews
make a deletion of these reports if you have seen it already....
3 votesHIBP isn’t intended to track the state of how individual people see and deal with breaches, there are all sorts of problems associated with that.
-
Domain user accounts
As a consultant, I see several companies that use a Microsoft Windows server and that are currently under cyber attack. looking at the userids that they use to try to get in, I think that somewhere there must be a list of existing userids (and passwords and even PC names) that they can use to login to a domain. Would be useful to get that info in hibp. By the way, on checking the domain names in hibp, I never get a verification code sent to security@....
1 voteThis is cage and not really actionable. If you’re not receiving email, you’re almost certainly blocking it.
-
Search for non decrypted passwords
As we can download both SHA-1 and NTLM password list, I suppose this list concerns only decrypted passwords that have been re encrypted with SHA-1 and NTLM.
So what about non decrypted passwords ?
I can see a lot of breaches where (fortunally) only the digest has been pwned and the digest algorithm is known.
Are there databases of encrypted passwords with their digest algorithm waiting to be decrypted ?
If yes it could be a nice feature to test passwords against all these databases using the corresponding algorithm...
1 voteThere are multiple problems with this:
Firstly, passwords are almost never encrypted, they’re hashed. If they are encrypted then without the private key you really can’t verify the password by any means.
Secondly, when hashed, they’re almost always salted as well so just knowing the algorithm used isn’t sufficient for a password hash provided by a user to be verified, I’d have to provide the salt used as well. That would mean storing that in a way that could be retrieved for that user which amounts to needing credential pairs which is too risky for my comfort.
Thirdly, it’s a very niche audience that could use this, namely people technical enough to hash their own password (with the salt, if needed) and then pass it back to the service.
In short, it’s high effort, high risk and low value given the niche nature of it.
-
Add FalixNodes.net
There was recently a security breach on FalixNodes, this includes all passwords to the Game Panel, which were all eventfully reset by the owner of FalixNodes.
1 voteThis is not a feature suggestion.
-
Password List Version Diff
Any way to publish just an NTLM and SHA-1 differential file on the next release of the password list? This would greatly help when importing the list into SQL so as not to require a full re-import of any newly published password lists.
1 voteA huge portion of the entries change on each load due to the counts being revised. if downloading the corpus is burdensome, better to use the k-anonymity API.
-
Opt out till next breach
I saw a breach on my email, I've strengthen the security, logout services and stuff.
I would like to opt out now. And come in a later date and see if have new breaches.Because this way, I can rest that my new security changes are working, instead of doesn't matter if strengthen the security or not, I still see the breach result
3 votesYou can do this already: https://haveibeenpwned.com/OptOut
-
Offer a service to wipe a person's breached info
Offer a service that can wipe clean a person's exposed information that has been breached.
3 votesYou can’t wipe data off the internet once it’s leaked.
-
3 votes
I am in no way supportive of private class actions in the vast majority of cases and do not want to do anything to encourage them. Full blog post coming this week.
-
md5 password check
be able to lookup if your password exists in a breach by entering an md5 of your password rather than the actual password.
3 votesThere’s no upside to MD5. SHA-1 is used not with the expectation of people having SHA-1 hashes in the first place, but rather having the plain text in the first place then using SHA-1 as part of the k-anonymity implementation: https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/
-
Email reminders for varification
After the second or third reminder the last one does not contain the email address any more in the text. My improvement: Add the mail address as in the other reminders for a better UX.
1 voteThis is intentional to change the format slightly in the hope of not being flagged as spam.
-
Premium subscription
A premium API subscription that would allow domain search and show actual passwords would be awesome. This is already available online from multiple vendors but costs that are just too high.
1 voteThis would circumvent domain ownership verification and the presence of passwords would post enormous risks to individuals in breaches. That’s just not a situation I’m comfortable with.
-
Allow incremental hashes for those of us who are not permitted to use the API
Different organizations have different security postures. Your list of hashes may be transferred into secure systems in text format where they are processed in order to match against internal password databases.
Unfortunately, despite the k-anonymity interface, exfiltrating even a partial password hash is forbidden. Given this use case, I believe it would be advantageous to provide incremental hash lists for every addition made to the database between major releases of the complete list. Daily, or even weekly would be good.
The objective would be to notify users immediately if the hash of their current password is ever added to the…
1 voteDeltas are infeasible because it’s not just new hashes being added, it’s the counts on existing ones changing too. Best bet is to either load the complete hash set or use the public API. I understand different security postures with regards to using the API, but this is why it implements k-anonymity which there shouldn’t be a practical barrier against using, at least not from a privacy perspective.
- Don't see your idea?