|
- Why is breach-detection site Have I Been Pwned considered safe?
I'm not sure where you are getting the "unquestioningly safe" claim They ask this question of themselves and provide clear explanations of what they claim they are trying to do to limit risks to the people involved Believe them or not, but the question is actively raised Second, could users be profiled as being "those who care"? Sure
- Is Have I Been Pwneds Pwned Passwords List really that useful?
Obviously, if you only ever use a password on one particular site, and it bears no relationship to passwords used on other sites, then once you change that password you are as safe as you can be In fact, the general guidance is that the key trigger for password change should be suspicion of a breach
- Why check your email in haveibeenpwned rather than regularly changing . . .
Collection #1 - which is the reason for the recent buzz around haveibeenpwned com and Troy Hunt - is an excellent example for the publication of evidence of compromise Why? Because it is not a new breach Brian Krebs, renowned security expert published a report, that claims, that all the data in there is at least two to three years old
- Is using haveibeenpwned to validate password strength rational?
But the inverse is where I am concerned - there will always be very easy to crack passwords that aren't on the list "longishpassword" at this time has not had an account using this password that was hit by a leak This does not mean however that were a leak of hashes to happen, this password would be safe It would be very easy to break
- passwords - Is haveibeenpwned (HIBP) free and reliable? - Information . . .
The HaveIBeenPwned API is safe to check for leaked passwords as the password or the hash is never transmitted via API
- have i been pwned - Is there a reason why I should not use the . . .
"if your users are breached it will reflect on you" - citation needed Users do not blame the vendor if their individual accounts are hacked "they learn that reuse of credentials is not safe" - citation needed This process and communication is not likely to result in users walking away with the idea that password reuse is not safe
- How can I be pwned if Im not registered on the compromised site?
@Pureferret depends on the kind of information aside from your email address that was included in that site's profile settings If you're not familiar with the site and can't even login using the email address reported, you're probably safe This was just an extremely edge case that popped into my head –
- data leakage - Pwned by a website I never subscribed to - How do they . . .
OP is 'pwned' because their email address was included in the dataset leaked by the site That's all haveibeenpwned com reports on The question isn't about whether they have an account there (they know they don't), but why that site had their email address in the first place when OP never gave it to them –
|
|
|