Questions tagged [have-i-been-pwned]
Website allowing internet users to check whether their credentials have been compromised in the past.
29
questions
1
vote
0
answers
94
views
Where can i look which information about me exists online [closed]
I'm worried that there could be some particular private information about me be leaked somewhere online.
I'm already aware of haveibeenpwned.com and doxbin.com, but what other sites exist there where ...
1
vote
1
answer
170
views
Is it possible to check for pwned/common passwords using salted hashes of the passwords?
If I administer a webpage that allows users to create accounts, and assuming I don't keep or even ever have access to plaintext passwords, is it possible for me to detect that one of my users is using ...
0
votes
0
answers
413
views
How to find out which data breach my password was in?
HIBP and my password manager both claim that a password that I am using has been seen in a data leak.
Neither of them provide information about which data leak exactly my password was seen in.
The ...
16
votes
4
answers
4k
views
Should one reject login attempts when the correct password is newly added to a password deny list?
Best practices say that when users choose a password (at signup or when changing an existing password), the application should reject that password if it appears on a list of passwords known to be ...
1
vote
1
answer
233
views
Databases for compromised passwords that browsers use
I am looking into databases of compromised passwords in order to ensure that passwords on a system I am responsible for are not already compromised.
To have complete peace of mind, I prefer to get ...
-1
votes
1
answer
182
views
What can an attacker do if they find positive results for `haveibeenpwned`?
I know maltego has a haveibeenpwned module/transform. Assuming an attacker ran a bunch of emails through that module and got a few positive hits for haveibeenpwned, what can be done with those results?...
1
vote
2
answers
330
views
Is it a good idea to check if the password provided at registration is leaked on any lists? And then, prevent the user from using it?
A while ago, I was tipped off that it's a good idea to check if the password provided at registration is contained in any list of leaked passwords. I'm not in the information security field, but I ...
2
votes
2
answers
829
views
How to explain "the k-anonymity model used by HaveIBeenPwned for pwned passwords doesn't expose your passwords" to a layman?
People are naturally skeptical when they hear about the HaveIBeenPwned pwned passwords search, because who would in their right mind enter their password into a random website? And sure, HIBP uses k-...
3
votes
2
answers
206
views
Is this (explained in body) a possible attack vector when using haveibeenpwned API?
I'm currently working on understanding and contemplating to implement password strength validation for sign ups in my app, to include checking haveibeenpwned if entered password is compromised ...
2
votes
2
answers
939
views
Why don't services like Have I Been Pwned send email if you haven't signed up?
When a database is breached and my password and email have been leaked I can go onto have I been pwned? and I can see that my password has been leaked. But why wouldn't the service send out an email ...
0
votes
1
answer
632
views
Why would I 'have been pwned' on a website that I never had an account on? [duplicate]
I was recently sent a notification by https://haveibeenpwned.com/ that one of my email addresses has been found in a breach, in particular in a breach of https://www.chegg.com. I am positive I never ...
2
votes
1
answer
465
views
Is super paranoid use of HaveIBeenPawned password API going to help?
They way I understand HaveIBeenPawned password API is that it's a safe system because the site "can't do much with my partial hash even if they wanted to". But is that really true?
Is the ...
61
votes
6
answers
13k
views
Is there a reason why I should not use the HaveIBeenPwned API to warn users about exposed passwords?
There's lots of talk about the HaveIBeenPwned password checker which can securely tell users if their password appears in one of their known data dumps of passwords.
This tool has a publically ...
33
votes
3
answers
8k
views
Sextortion with actual password not found in leaks
I have received one of those typical sextortion scams ("drive-by exploit", filmed by webcam (mine has tape on it), pay bitcoin etc.). The thing is that an old password of mine is included (I don't ...
52
votes
10
answers
18k
views
Is using haveibeenpwned to validate password strength rational?
I have been hearing more and more that the haveibeenpwned password list is a good way to check if a password is strong enough to use or not.
I am confused by this. My understanding is that the ...