Collaborate Disseminate
I’ve been investing a heap of time into Have I Been Pwned (HIBP) lately, ranging from all the usual stuff (namely trawling through masses of data breaches) to all new stuff, in particular expanding and enhancing the public API. The API is actually pretty simple: plug in an
Continue reading Better Supporting the Have I Been Pwned API with Zendesk
Just over 3 years ago now, I sat down at a makeshift desk (ok, so it was a kitchen table) in an Airbnb in Olso and built the authenticated API for Have I Been Pwned (HIBP). As I explained at the time, the primary goal was to combat abuse of
Continue reading Big Changes are Afoot: Expanding and Enhancing the Have I Been Pwned API
Best practices say that when users choose a password (at signup or when changing an existing password), the application should reject that password if it appears on a list of passwords known to be unsafe. For example, NIST Special Publicat… Continue reading Should one reject login attempts when the correct password is newly added to a password deny list?
I always thought that HaveIBeenPawned was sort of a "gold standard" for lists of known passwords from security breaches, but now it has become apparent that this is not the case ("asking for a friend"):
A password that … Continue reading How does Apple password leak check differ from HaveIBeenPwned? [migrated]
Continuing the rollout of Have I Been Pwned (HIBP) to national governments around the world, today I’m very happy to welcome Poland to the service! The Polish CSIRT GOV is now the 34th onboard the service and has free and open access to APIs allowing them to query
Continue reading Welcoming the Polish Government to Have I Been Pwned
Four and a half years ago now, I rolled out version 2 of HIBP’s Pwned Passwords that implemented a really cool k-anonymity model courtesy of the brains at Cloudflare. Later in 2018, I did the same thing with the email address search feature used by Mozilla, 1Password and
Continue reading Understanding Have I Been Pwned’s Use of SHA-1 and k-Anonymity
I am looking into databases of compromised passwords in order to ensure that passwords on a system I am responsible for are not already compromised.
To have complete peace of mind, I prefer to get access to the data, and check passwords lo… Continue reading Databases for compromised passwords that browsers use
For many years now, I’ve lamented about how much of my time is spent attempting to disclose data breaches to impacted companies. It’s by far the single most time-consuming activity in processing breaches for Have I Been Pwned (HIBP) and frankly, it’s about the
Continue reading Breach Disclosure Blow-by-Blow: Here’s Why It’s so Hard
When HIBP tells me that my name, email, etc. has been compromised, I understand. What I don’t understand is when I am told that Bios is compromised. Anyone can explain the meaning?
Example :
Compromised data: Bios, Dates of birth, Email ad… Continue reading Have I Been Pwned meaning of BIOS in the list of the data that was compromised [closed]
Data breaches impact us all as individuals, companies and as governments. Over the last 4 years, I’ve been providing additional access to data breach information in Have I Been Pwned for government agencies responsible for protecting their citizens. The access is totally free and amounts to APIs designed
Continue reading Welcoming the Bulgarian Government to Have I Been Pwned