Skip to content

General

214 results found

  1. 3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)

    This doesn't seem to be a feature suggestion, but to answer your question, there's literally a button on the front page of HIBP that says "Why 1Password" and it links to here: https://haveibeenpwned.com/1Password

  2. New subsection showcase under the API section

    Under API, to add who uses them. I am interested in their UI/UX design, and how the attribution link is shown.
    Request your licensees to provide link and screenshots if they have any. It helps them with cross promotion and you can use it to verify attribution is done correctly

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Admin →
  3. RockYou2024? The 12TB MOAB?

    Huge breaches this year, can their data be added??

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
  4. Show where passwords where leaked from

    The same way we see where the emails where leaked from. Could we please have the passwords leak location shown to us?

    2 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)

    This wouldn't really scale; some passwords have been seen millions of times before and tracking the location would result in huge amounts of bloat whilst providing very little benefit. The purpose of Pwned Passwords is to try and stop the use of known breached passwords, irrespective of where they were breached from.

  5. Activate 2FA for email check

    This tool is very useful and has a nice purpose, but I really regret that its is... another leak and a very public and easy one.
    In a single click I can know if an email is linked to a linked in account. If breaches like stripchat or AFF are visible, I can know if my boss has an account on adult sites.
    I would really love to see one day an implementation of a MFA to get access to an email results.
    Thanks

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
  6. An endpoint to check if unverified domain has been pawned

    I can see that we can check if the domain like google.com is pawned on landing page including the hacks they are involved in but no email addresses. But there is no endpoint do such searches in the api. It would be nice if we could do search for the unverified domain but no email aliases.

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
  7. Affected Service Warnings for various breach types

    With the most recent Telegram Combolost breach, a feature I think a wide variety of people would use is the ability to know exactly what services their email and password combination were breached in so they can immediately change them.
    The best way of doing this would be sending HIBP subscribers an email with the the lines in the Combolist (Obviously with the password or other secure information redacted)

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
  8. Enhance the "an address has been breached" email notification to include the address

    I run a domain which is used for email filtering. It employs "catch-all" forwarding to route every message to one of two places:

    1) Trash, for addresses that are only getting SPAM (from previous data breaches)

    2) my inbox, for the unique email address I provide for each web site I register with

    This means I have hundreds of email addresses registered (probably close to 1000). They're all me.

    However, since 63 of my email addresses have been disclosed to HIBP as being involved in data breaches, I no longer have any way to find out which addresses have been…

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
  9. Add a leaderboard of the most pwned accounts

    It would be amazing if you could see which accounts have the most pwns and how many

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
  10. Allow for bulk "add domain" (API or otherwise)

    I have 93 domains in my organisation I would like to add for monitoring (paid account). Currently, it seems the API doesn’t support adding domains to one’s account; so the only way to do so is manually one-by-one.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
  11. Apple and Google have both found passwords that this tool did not.

    I have long since left browser and OS password managers behind. I now use Vaultwarden. I like it because it will check passwords against your service for me (In fact, I pay for a subscription). Recently, I was on my iPad, and it told me that some of my passwords had been compromised. I had forgotten about having passwords on there. Most of them were old and changed. The one that surprised me was for my security camera system. It has not been changed. This password has been stored for a while and checked many times through HIBP (by way…

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
  12. Liste privée

    Rendre privée les réponses et vérifier l'identité du demandeur

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
  13. Add a IFrame (or other kind of embeded form) where we can easily add a search from our site that would send them to HIBP.

    I don't need to understand API's. Your site works great and does an amazing service.

    I would love a media kit/banner that we could add to our site, that we could use to direct users of our site to go to HIBP and check themselves.
    I don't want to download or use your logos without permission.
    You could add a section saying: "promote us:" and pre-prepare icons and buttons for use, if someone chooses, to link to your site.

    In addition, if you could create a form that would allow them to enter the email they want to search, just…

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
  14. Provide a subscription level for individual domains

    I am one of the people (I know there are others) who uses a custom domain and a catchall email address, in order to give a separate email address to every site I sign up to. So example.com is example.com@mydomain.com, example.net is example.net@mydomain.com, etc.

    Unfortunately this means that getting a report on my breached email addresses would cost $169/year, which is quite a lot for an individual user. I understand that this use case looks very similar to an organizational or institutional one, so it may be difficult to distinguish them in order to help individuals while still…

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Admin →
  15. Screen out fake email addresses

    Right now the service you offer shows more than 170 email addresses from my domain. All of them are fake and never existed as there are less than 10 real accounts on my domain. These fake accounts push me into the paid subscription level where if it only looked at the real accounts it’d be free. Can this be remedied? Maybe allow marking of real accounts and all others considered fake?

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)

    The challenge we have is that there is no viable mechanism to establish whether an account is “real” or not. So long as an address adheres to a valid set of characters and structure, there’s nothing beyond that we can do. To mitigate the risk, breaches flagged as spam lists are excluded from the count used to calculate the required subscriptio. More here: https://support.haveibeenpwned.com/hc/en-au/articles/7680371776399-Can-email-addresses-be-removed-from-a-domain-thus-reducing-the-subscription-level-required

  16. upload known breached default or standard passwords

    Many applications use your API to detect known vulnerable passwords. In this regard it would be great to have some way of uploading known default passwords, e.g. company "standard" passwords or vendor specific device passwords. This would help to prevent users from choosing old and compromised "standard" passwords.

    2 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)

    The intention for Pwned Passwords is to be just that **pwned** so things that have been seen in previous breaches. That almost certainly includes many default passwords, but it's not something we'd seek out and add if they haven't previously been breached.

  17. Option to email a report of all exposed passwords linked to my email address back to my email address

    Option to get a full report for exposed passwords used along with my email address that can only be mailed to the email address in question (to avoid malicious use)

    This will help me determine where my data was leaked as I tend to use unique passwords for every site and I do not reuse my email password anywhere else

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
  18. Load breach data before verification/email

    Not sure if this is done already.

    I suggest the breach data is loaded on the DB as quickly as possible, independent of verification. The idea being some of your services such as checking if a password is part of a breach only need to know if a password is part of a breach. The email notification and other parts of the service would wait for verification.

    If your data structure requires a record for the breach source; if so could it have a record with a status of unverified?

    For those users protected by a password manager/site that checked…

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)

    Passwords are typically only updated when a large corpus of plain text versions appear. Most breaches have the passwords already hashed which means there's nothing we can do with them in HIBP, including loading them before verification. Where we do have passwords in plain text, they're already processed independently of the email address loading process.


    tl;dr - it already works this way 🙂

  19. Add basic email validation on the main search box on the website

    If I search for @example.com on the home page https://haveibeenpwned.com/, then it shows "Good news — no pwnage found!".

    That could give the false impression that there is no pwnage on that domain. If a user is not aware of the process for domains, then they might not realise that they need to enter a specific email like pwned@example.com in order to see the "Oh no — pwned!" on the homepage.

    I'm aware that validating emails is difficult, so I'm not suggesting something complicated that covers all possibilities, but I think it would be an improvement to show a…

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)

    The form also accepts usernames and phone numbers, hence not validating email addresses. Because this data was only loaded for a couple of breaches, the field isn't presently displaying the prompt to search for non-email address identifiers, but it may do so again in the future.

  20. Allow a simplistic wildcard domain search on the site and the API

    The only extra function I wish the API had was a very basic wildcard search of a domain (that I don't control/administer) whereby the API would simply return how many times the domain appears in your 700+ breached platforms, and on what platforms it appeared. I have no interest in knowing which email addresses appear under a domain search, just the total number of appearances of the domain and which breached platforms. DeHashed and Leak-Lookup offer this in their free search, but their API's are janky compared to yours.

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
← Previous 1 3 4 5 10 11
  • Don't see your idea?

General

Categories

Feedback and Knowledge Base