IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [have-i-been-pwned]

Website allowing internet users to check whether their credentials have been compromised in the past.

Have I Been Pwned? (HIBP) is a website that allows internet users to check if their personal data has been compromised by data breaches. The service collects and analyzes dozens of database dumps and pastes containing information about hundreds of millions of leaked accounts, and allows users to search for their own information by entering their username or email address. Users can also sign up to be notified if their email address appears in future dumps.

source Wikipedia:

25 questions
159
votes
8 answers

Is "Have I Been Pwned's" Pwned Passwords List really that useful?

My understanding of Have I Been Pwned is that it checks your password to see if someone else in the world has used it. This really doesn't seem that useful to me. It seems equivalent to asking if anyone in the world has the same front door key as…
Dancrumb
  • 2,626
  • 3
  • 13
  • 15
107
votes
7 answers

Is it safe to give my email address to a service like haveibeenpwned in light of the publication of "Collection #1"?

There is a new big case of stolen login/password data in the news. At the same time, I am reading that there are services that let you check if your own login data is affected, e.g. Have I Been Pwned. Is it safe to enter my email address there to…
godwana
  • 931
  • 2
  • 5
  • 4
76
votes
5 answers

How can I be pwned if I'm not registered on the compromised site?

I recently was emailed from HaveIBeenPwned.com (which I am signed up on) about the ShareThis website/tool (not signed up on). I have no memory of signing up for that service. When I go to recover the account (I might as well close/change password),…
AncientSwordRage
  • 1,925
  • 4
  • 17
  • 19
67
votes
10 answers

Why check your email in haveibeenpwned rather than regularly changing your password regardless of any leaks?

There's a lot of news right now about haveibeenpwned but I don't understand why people need a service like that in first place. If you're a security conscious user, you'd change your passwords regularly on any website that matters (banking, email,…
JonathanReez
  • 1,052
  • 1
  • 7
  • 16
62
votes
6 answers

Is there a reason why I should not use the HaveIBeenPwned API to warn users about exposed passwords?

There's lots of talk about the HaveIBeenPwned password checker which can securely tell users if their password appears in one of their known data dumps of passwords. This tool has a publically available API behind it which websites/apps/etc are free…
Toby Smith
  • 531
  • 1
  • 4
  • 7
52
votes
10 answers

Is using haveibeenpwned to validate password strength rational?

I have been hearing more and more that the haveibeenpwned password list is a good way to check if a password is strong enough to use or not. I am confused by this. My understanding is that the haveibeenpwned list comes from accounts which have been…
Nacht
  • 925
  • 1
  • 6
  • 12
41
votes
3 answers

Is it safe to check password against the HIBP Pwned Passwords API during account registration?

User registers account on a web app. Passwords are salted and hashed. But is it safe to check the password against the HIBP Pwned Passwords API, before salting and hashing it? Of course the app uses TLS. So if the password is found on any breach -…
Bitenieks
  • 533
  • 1
  • 4
  • 5
35
votes
6 answers

How do I reset passwords on multiple websites easily?

One of my old email addresses was involved in the recent Whitepages breach disclosure (source: Have I Been Pwned). I don't remember on which websites I used that email address for registration, but I would like to reset my password everywhere…
Islay
  • 593
  • 1
  • 4
  • 9
33
votes
3 answers

Sextortion with actual password not found in leaks

I have received one of those typical sextortion scams ("drive-by exploit", filmed by webcam (mine has tape on it), pay bitcoin etc.). The thing is that an old password of mine is included (I don't even remember where I used it), but searching the…
user32849
  • 349
  • 3
  • 7
8
votes
2 answers

Why is breach-detection site "Have I Been Pwned" considered safe?

Whether it be due to technology the site is using, or any manual behind-the-scenes work with the data, why does this breach detection site seem to be unquestioningly safe? Wouldn't the data of you, as a user(breached/pwned or not), utilizing this…
Nohbdy Ahtall
  • 91
  • 1
  • 6
3
votes
2 answers

Is this (explained in body) a possible attack vector when using haveibeenpwned API?

I'm currently working on understanding and contemplating to implement password strength validation for sign ups in my app, to include checking haveibeenpwned if entered password is compromised elsewhere. I understand the process involves the site…
Aen Tan
  • 133
  • 3
2
votes
2 answers

Why don't services like Have I Been Pwned send email if you haven't signed up?

When a database is breached and my password and email have been leaked I can go onto have I been pwned? and I can see that my password has been leaked. But why wouldn't the service send out an email notifying me of my leaked password WITHOUT signing…
Schotsl
  • 121
  • 4
2
votes
1 answer

Is super paranoid use of HaveIBeenPawned password API going to help?

They way I understand HaveIBeenPawned password API is that it's a safe system because the site "can't do much with my partial hash even if they wanted to". But is that really true? Is the following scenario feasible? My password is…
user3280964
  • 1,130
  • 2
  • 7
  • 13
2
votes
2 answers

Is haveibeenpwned (HIBP) free and reliable?

I have just started to explore HIBP to check whether we can use HIBP in our public facing interfaces. AS per my read I have 3 options to check out. Download the password dictionary and implement my own breached password checker call HIBP api to…
maya16
  • 121
  • 2
2
votes
1 answer

How did my exact name + birthday end up in PwnedPassword lists?

I find my exact name + birthday in the form of FirstnameMiddlenameSurnameDayMonthYear, e.g. JamesWilliamMiller31052000 in the PwnedPasswords List. But I have a very uncommon Surname (<100 people) and I am absolutely sure nobody has the exact…
Dames
  • 121
  • 2
1
2