General
213 results found
-
3 votes
I am in no way supportive of private class actions in the vast majority of cases and do not want to do anything to encourage them. Full blog post coming this week.
-
md5 password check
be able to lookup if your password exists in a breach by entering an md5 of your password rather than the actual password.
3 votesThere’s no upside to MD5. SHA-1 is used not with the expectation of people having SHA-1 hashes in the first place, but rather having the plain text in the first place then using SHA-1 as part of the k-anonymity implementation: https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/
-
Email reminders for varification
After the second or third reminder the last one does not contain the email address any more in the text. My improvement: Add the mail address as in the other reminders for a better UX.
1 voteThis is intentional to change the format slightly in the hope of not being flagged as spam.
-
Allow users to login and mark breaches they dealt with
My data was in the 500px breach. Every time I check for breaches against my email address on HIBP, this comes up. I use random passwords so I am not concerned about the leak, but I do make sure to change passwords once I am notified of a leak. Once the list of breaches becomes long enough, I may not remember whether I have dealt with a specific issue reported. It would be good to have a mode where I can log in and check the issues that I have dealt with, so the next time I login and check…
2 votesHIBP is not intended to be a personal triage tool, it’s a reflection of breaches at a point in time.
-
Premium subscription
A premium API subscription that would allow domain search and show actual passwords would be awesome. This is already available online from multiple vendors but costs that are just too high.
1 voteThis would circumvent domain ownership verification and the presence of passwords would post enormous risks to individuals in breaches. That’s just not a situation I’m comfortable with.
-
Allow incremental hashes for those of us who are not permitted to use the API
Different organizations have different security postures. Your list of hashes may be transferred into secure systems in text format where they are processed in order to match against internal password databases.
Unfortunately, despite the k-anonymity interface, exfiltrating even a partial password hash is forbidden. Given this use case, I believe it would be advantageous to provide incremental hash lists for every addition made to the database between major releases of the complete list. Daily, or even weekly would be good.
The objective would be to notify users immediately if the hash of their current password is ever added to the…
1 voteDeltas are infeasible because it’s not just new hashes being added, it’s the counts on existing ones changing too. Best bet is to either load the complete hash set or use the public API. I understand different security postures with regards to using the API, but this is why it implements k-anonymity which there shouldn’t be a practical barrier against using, at least not from a privacy perspective.
-
Notify me of specific site breaches?
I'd imagine I'm not the first to ask about this but can't see it listed. If I have an account with a site, say the BBC site, can I sign up to be informed of confirmed data breaches even if my particular email address is not in a set of compromised data? Apologies if this already addressed - point me to it.
1 voteThis would effectively amount to a per-individual corpus of sites to be monitored which really isn’t something I want to maintain in HIBP. If you have an account with the service and you’re subscribed to notifications, you’ll be notified anyway if it appears in a breach.
-
Fix Email verification
FIx your email verification process. Years back people reporting that emails are not received, IT people watching their email logs confirming nothing is received from your site. Today I am in same boat yesterday and today been trying check email logs at smart host/filter and O365 and neither has any sign of your verification email. There is an issue unfixed you need to resolve.
1 voteEmail delivery checks out just fine: https://www.mail-tester.com/test-difjlr0tj
Talk to your provider if you’re finding it blocked,.
-
I suggest to implement an email verification that is necessary to get to know whether the email adress one typed in has been pawned or not.
By getting the information on whether an email address has been pawned without verification whether it's mine or not it is easy for everyone to check really quickly whether the email addresses one has from people around is worth trying to hack. One doesn't have to check the list. This site is doing that for one.
4 votesThere are many reasons why this wouldn’t make sense: https://www.troyhunt.com/the-ethics-of-running-a-data-breach-search-service/
-
Send me the data, not just the site name
When you find my email in a breached site and on a list somewhere where you say that my email and password were found, send me the details (i.e. the password or hashed password) so I can decide whether I need to change my password. I use a different password at every site. So knowing more than just my email was found a list would be useful.
1 voteHere are all the reasons I don’t make passwords available via Have I been pwned: https://www.troyhunt.com/here-are-all-the-reasons-i-dont-make-passwords-available-via-have-i-been-pwned/
-
Remove password which is pwned on small and don't see in long time.
First time i have check my password, it was not pwned.
Second time, just after first time some days, it was pwned with "seen 1 time before".
This is no problem until now, but when github start using your api to check password and force i give up my good password!
So please remove password which "seen 1 time before", or at least make a feature that auto remove password from your database if it is not pwned or less pwned in long time.3 votesThat’s not a reason to remove the password, that’s a discussion you should have with GitHub about what threshold to block a password at.
-
Add incremental updates to the PWNd password data sets
While it wouldn't preserve order, generally, it would greatly reduce the burden on people downloading those data sets for their own use. It has the potential to drastically reduce the bandwidth costs for the system as users would likely download the bulk of the set just once and then get the updates thereafter.
1 voteThis isn’t feasible as each incremental update doesn’t just add new passwords, it updates the counts on existing ones too. Better just to use the k-anonymity API.
-
I suggest adding a date stamp so we can see when info that's pulled up in a search was last updated.
1 voteBreach data remains largely unchanged after load. Create and modified dates are available via the API if you want more granular data: https://haveibeenpwned.com/API/v3#AllBreaches
-
Help victims of cyber stalkers
I have a friend who is being absolutely terrorized by a computer savvy guy who is backhandedly threatening her life, posting her real name on adult websites, hacking her voicemails, opening accounts with her information and we believe he has now shared her info on some dark web place allowing other hackers access to her information. We have made police reports and even contacted the FBI cyber crimes unit. But this guy is using VPN’s and change your number apps. He calls and harasses her constantly, for over 4 months now this has been going on. I heard about this…
1 voteThis is not a feature suggestion for HIBP.
-
Give us if our email is likely to be pasted.
We should be told if a hacker can still access our email or paste it. We should be told that once we receive our results,
2 votesThere is no way of knowing this.
-
Describe why a search of an e-mail address using the form and API return different results
If I search for my work e-mail address on the web page, I get no results. However, if I search for my work e-mail address with the API I get two results.
Why is this different?
I am suspecting that the lack of passwords in the breach constitutes not being pwned?1 voteSounds like you’re not using the IsVerified param correctly on the API.
-
Cit0day - is it possible to include the site(s) whose lists an email appeared in?
In the alert email for the Cit0day breach, the only information provided is that one's email appeared somewhere in the breach of the 23k websites. If it's possible, it could be helpful for users to be informed of which specific site(s) their credentials were listed under.
I fully grant the larger point about encouraging the use of a password manager to mitigate the risk regardless. Thanks! :)
3 votesHIBP only matches an email address to a single “breach” (which is what the Cit0day collection is treated as) and doesn’t have a provision to add any additional data such as which file the email address appeared in.
-
1 vote
This is not feasible for the reasons mentioned here: https://www.troyhunt.com/the-ethics-of-running-a-data-breach-search-service/
-
Add as a FAQ how Pwned Passwords aligns with Google's new Safety Check
Google now detects some email / password combo breaches. Google doesn't have any more detail on when / what / where. What might explain any difference w Pwned Passwords?
3 votesTotally different services, I’m unsure whether Google uses and data from HIBP or just sources it all themselves.
-
Option to return "no breaches found" in json body, rather than simply a 404 status
It would be good to be able to return something in the json body when no breaches are found for an account.
A parameter to enable this message would be great.
I'm working with a 3rd party software to pull data, and doesn't expose the status in an accessible way.(I would have thought a 204 status would have made more sense?)
1 voteHTTP 404 is the semantically correct response code, there’s no reason to include anything further in the body. Sounds like a deficiency with the product you’re using if it’s unable to interpret response codes correctly.
- Don't see your idea?