Questions tagged [have-i-been-pwned]
Website allowing internet users to check whether their credentials have been compromised in the past.
29
questions
1
vote
0
answers
95
views
Where can i look which information about me exists online [closed]
I'm worried that there could be some particular private information about me be leaked somewhere online.
I'm already aware of haveibeenpwned.com and doxbin.com, but what other sites exist there where ...
- 11
1
vote
1
answer
175
views
Is it possible to check for pwned/common passwords using salted hashes of the passwords?
If I administer a webpage that allows users to create accounts, and assuming I don't keep or even ever have access to plaintext passwords, is it possible for me to detect that one of my users is using ...
- 115
0
votes
0
answers
422
views
How to find out which data breach my password was in?
HIBP and my password manager both claim that a password that I am using has been seen in a data leak.
Neither of them provide information about which data leak exactly my password was seen in.
The ...
- 101
16
votes
4
answers
4k
views
Should one reject login attempts when the correct password is newly added to a password deny list?
Best practices say that when users choose a password (at signup or when changing an existing password), the application should reject that password if it appears on a list of passwords known to be ...
- 337
1
vote
1
answer
234
views
Databases for compromised passwords that browsers use
I am looking into databases of compromised passwords in order to ensure that passwords on a system I am responsible for are not already compromised.
To have complete peace of mind, I prefer to get ...
- 343
-1
votes
1
answer
182
views
What can an attacker do if they find positive results for `haveibeenpwned`?
I know maltego has a haveibeenpwned module/transform. Assuming an attacker ran a bunch of emails through that module and got a few positive hits for haveibeenpwned, what can be done with those results?...
- 3,482
1
vote
2
answers
334
views
Is it a good idea to check if the password provided at registration is leaked on any lists? And then, prevent the user from using it?
A while ago, I was tipped off that it's a good idea to check if the password provided at registration is contained in any list of leaked passwords. I'm not in the information security field, but I ...
- 43
2
votes
2
answers
833
views
How to explain "the k-anonymity model used by HaveIBeenPwned for pwned passwords doesn't expose your passwords" to a layman?
People are naturally skeptical when they hear about the HaveIBeenPwned pwned passwords search, because who would in their right mind enter their password into a random website? And sure, HIBP uses k-...
- 7,563
3
votes
2
answers
206
views
Is this (explained in body) a possible attack vector when using haveibeenpwned API?
I'm currently working on understanding and contemplating to implement password strength validation for sign ups in my app, to include checking haveibeenpwned if entered password is compromised ...
- 133
2
votes
2
answers
952
views
Why don't services like Have I Been Pwned send email if you haven't signed up?
When a database is breached and my password and email have been leaked I can go onto have I been pwned? and I can see that my password has been leaked. But why wouldn't the service send out an email ...
- 121
0
votes
1
answer
635
views
Why would I 'have been pwned' on a website that I never had an account on? [duplicate]
I was recently sent a notification by https://haveibeenpwned.com/ that one of my email addresses has been found in a breach, in particular in a breach of https://www.chegg.com. I am positive I never ...
2
votes
1
answer
466
views
Is super paranoid use of HaveIBeenPawned password API going to help?
They way I understand HaveIBeenPawned password API is that it's a safe system because the site "can't do much with my partial hash even if they wanted to". But is that really true?
Is the ...
- 1,152
61
votes
6
answers
13k
views
Is there a reason why I should not use the HaveIBeenPwned API to warn users about exposed passwords?
There's lots of talk about the HaveIBeenPwned password checker which can securely tell users if their password appears in one of their known data dumps of passwords.
This tool has a publically ...
- 531
33
votes
3
answers
8k
views
Sextortion with actual password not found in leaks
I have received one of those typical sextortion scams ("drive-by exploit", filmed by webcam (mine has tape on it), pay bitcoin etc.). The thing is that an old password of mine is included (I don't ...
- 359
52
votes
10
answers
18k
views
Is using haveibeenpwned to validate password strength rational?
I have been hearing more and more that the haveibeenpwned password list is a good way to check if a password is strong enough to use or not.
I am confused by this. My understanding is that the ...
- 935
0
votes
1
answer
1k
views
Have I Been Pwned Breached Email List by Domain Names
HIBP is a great service that I've been using for a long time.
I had a question surrounding Domain Search feature on HIBP. I believe there has to be some form of verification from our end in order to ...
- 31
2
votes
2
answers
924
views
Is haveibeenpwned (HIBP) free and reliable? [closed]
I have just started to explore HIBP to check whether we can use HIBP in our public facing interfaces.
AS per my read I have 3 options to check out.
Download the password dictionary and implement my ...
- 121
35
votes
6
answers
15k
views
How do I reset passwords on multiple websites easily?
One of my old email addresses was involved in the recent Whitepages breach disclosure.
I don't remember on which websites I used that email address for registration, but I would like to reset my ...
- 591
1
vote
0
answers
113
views
Are there any reliable and updated sources or feeds for password dumps? [closed]
I am looking for any reliable, up-to-date sources (which may be RSS feeds, websites, or anything else OSINT-based) which contain password dumps and their relative links.
I am looking particularly for ...
- 169
1
vote
1
answer
147
views
How did my exact name + birthday end up in PwnedPassword lists? [closed]
I find my exact name + birthday in the form of FirstnameMiddlenameSurnameDayMonthYear, e.g. JamesWilliamMiller31052000
in the PwnedPasswords List.
But I have a very uncommon Surname (<100 people) ...
- 111
74
votes
5
answers
27k
views
How can I be pwned if I'm not registered on the compromised site?
I recently was emailed from HaveIBeenPwned.com (which I am signed up on) about the ShareThis website/tool (not signed up on).
I have no memory of signing up for that service.
When I go to recover ...
- 1,925
0
votes
1
answer
653
views
Search list of emails [HaveIBeenPwned] [closed]
I want to search a list of emails, about 150 roughly on the https://haveibeenpwned.com/
website.
Obviously, I do not want to search each address individually, is there a way to upload a list, or ...
- 201
1
vote
1
answer
249
views
Email pwned versus password not pwned
A while ago my email had been pwned, I changed the password. Now since the January's massive breach I checked again and my email is found to be pwned, however the password I had then change to, isn't ...
- 11
66
votes
10
answers
25k
views
Why check your email in haveibeenpwned rather than regularly changing your password regardless of any leaks?
There's a lot of news right now about haveibeenpwned but I don't understand why people need a service like that in first place. If you're a security conscious user, you'd change your passwords ...
- 1,024
8
votes
2
answers
12k
views
Why is breach-detection site "Have I Been Pwned" considered safe?
Whether it be due to technology the site is using, or any manual behind-the-scenes work with the data, why does this breach detection site seem to be unquestioningly safe?
Wouldn't the data of you, ...
105
votes
7
answers
145k
views
Is it safe to give my email address to a service like haveibeenpwned in light of the publication of "Collection #1"?
There is a new big case of stolen login/password data in the news. At the same time, I am reading that there are services that let you check if your own login data is affected, e.g.
Have I Been Pwned.
...
- 931
1
vote
1
answer
1k
views
Search on email domains using the Have I Been Pwned API?
Using the HIBP API, is it possible to search for email domains? I know that HIBP has around 5 billion email records. All I want is a count of gmail.com or yahoo.com records.
I know that I can check ...
- 11
41
votes
3
answers
19k
views
Is it safe to check password against the HIBP Pwned Passwords API during account registration?
User registers account on a web app. Passwords are salted and hashed.
But is it safe to check the password against the HIBP Pwned Passwords API, before salting and hashing it? Of course the app uses ...
- 533
158
votes
8
answers
61k
views
Is "Have I Been Pwned's" Pwned Passwords List really that useful?
My understanding of Have I Been Pwned is that it checks your password to see if someone else in the world has used it.
This really doesn't seem that useful to me. It seems equivalent to asking if ...
- 2,636