Questions tagged [have-i-been-pwned]
Website allowing internet users to check whether their credentials have been compromised in the past.
29
questions
158
votes
8
answers
61k
views
Is "Have I Been Pwned's" Pwned Passwords List really that useful?
My understanding of Have I Been Pwned is that it checks your password to see if someone else in the world has used it.
This really doesn't seem that useful to me. It seems equivalent to asking if ...
105
votes
7
answers
145k
views
Is it safe to give my email address to a service like haveibeenpwned in light of the publication of "Collection #1"?
There is a new big case of stolen login/password data in the news. At the same time, I am reading that there are services that let you check if your own login data is affected, e.g.
Have I Been Pwned.
...
74
votes
5
answers
27k
views
How can I be pwned if I'm not registered on the compromised site?
I recently was emailed from HaveIBeenPwned.com (which I am signed up on) about the ShareThis website/tool (not signed up on).
I have no memory of signing up for that service.
When I go to recover ...
66
votes
10
answers
25k
views
Why check your email in haveibeenpwned rather than regularly changing your password regardless of any leaks?
There's a lot of news right now about haveibeenpwned but I don't understand why people need a service like that in first place. If you're a security conscious user, you'd change your passwords ...
61
votes
6
answers
13k
views
Is there a reason why I should not use the HaveIBeenPwned API to warn users about exposed passwords?
There's lots of talk about the HaveIBeenPwned password checker which can securely tell users if their password appears in one of their known data dumps of passwords.
This tool has a publically ...
52
votes
10
answers
18k
views
Is using haveibeenpwned to validate password strength rational?
I have been hearing more and more that the haveibeenpwned password list is a good way to check if a password is strong enough to use or not.
I am confused by this. My understanding is that the ...
41
votes
3
answers
19k
views
Is it safe to check password against the HIBP Pwned Passwords API during account registration?
User registers account on a web app. Passwords are salted and hashed.
But is it safe to check the password against the HIBP Pwned Passwords API, before salting and hashing it? Of course the app uses ...
35
votes
6
answers
15k
views
How do I reset passwords on multiple websites easily?
One of my old email addresses was involved in the recent Whitepages breach disclosure.
I don't remember on which websites I used that email address for registration, but I would like to reset my ...
33
votes
3
answers
8k
views
Sextortion with actual password not found in leaks
I have received one of those typical sextortion scams ("drive-by exploit", filmed by webcam (mine has tape on it), pay bitcoin etc.). The thing is that an old password of mine is included (I don't ...
16
votes
4
answers
4k
views
Should one reject login attempts when the correct password is newly added to a password deny list?
Best practices say that when users choose a password (at signup or when changing an existing password), the application should reject that password if it appears on a list of passwords known to be ...
8
votes
2
answers
12k
views
Why is breach-detection site "Have I Been Pwned" considered safe?
Whether it be due to technology the site is using, or any manual behind-the-scenes work with the data, why does this breach detection site seem to be unquestioningly safe?
Wouldn't the data of you, ...
3
votes
2
answers
206
views
Is this (explained in body) a possible attack vector when using haveibeenpwned API?
I'm currently working on understanding and contemplating to implement password strength validation for sign ups in my app, to include checking haveibeenpwned if entered password is compromised ...
2
votes
1
answer
466
views
Is super paranoid use of HaveIBeenPawned password API going to help?
They way I understand HaveIBeenPawned password API is that it's a safe system because the site "can't do much with my partial hash even if they wanted to". But is that really true?
Is the ...
2
votes
2
answers
833
views
How to explain "the k-anonymity model used by HaveIBeenPwned for pwned passwords doesn't expose your passwords" to a layman?
People are naturally skeptical when they hear about the HaveIBeenPwned pwned passwords search, because who would in their right mind enter their password into a random website? And sure, HIBP uses k-...
2
votes
2
answers
952
views
Why don't services like Have I Been Pwned send email if you haven't signed up?
When a database is breached and my password and email have been leaked I can go onto have I been pwned? and I can see that my password has been leaked. But why wouldn't the service send out an email ...