If they are really sneaky they use non-cookie based methods of tracking so it's even harder to tell they are doing it! They probably use a cookie to associate your two requests and get your email and password together. Skeptic: Except that they also have a form that asks for your email.Self: Maybe, but even if I don't trust them, if they don't also know my email then it isn't a big deal, and they don't ask for me email address.Skeptic: Yeah, but you have to give them your password.Self: If I type my password in here it will tell me if it has showed up in a hack before! This will help me know if it is safe!.After all, who wants to go around stuffing their password in a random website? You could even imagine a conversation with a skeptic: I could see this service being even more "questionable". Haveibeenpwned also has a service that let's you look up to see if a given password has been leaked before. In particular, some more details can give some clues on evaluating stuff like this. You didn't explicitly ask about this, but it is very related to your question (and mentioned in the comments), so I thought I'd bring it up. Is "Have I Been Pwned's" Pwned Passwords List really that useful? The following StackExchange post has a response from Troy himself with important if you have used the same password for multiple websites, where credentials stolen from one site can be used to attack other sites in a technique also called Credential Stuffing attack. Troy Hunt is a very respected Information Security professional and this service is being used by millions of people worldwide, even by some password managers to verify if the passwords selected by the users have been involved in a data breach.Īs per the website, 1Password integrates with the popular site Have I Been Pwned to keep an eye on your logins for any potential security breaches or vulnerabilities.Įntering your email address on this site will tell you which data breaches involve this email address, so that you can go back to the affected website and change your password. ![]() You can choose to search through all the password databases of the world yourself if you don't want to take the risk that maybe a lot of people are wrong about Troy Hunt, just because then you would disclose your email address. How big of a risk is that to you, when you can just enter any email address you want?Īt the end of the day, HIBP is a free service for you(!) that costs Troy Hunt money. Of course we have to trust Troy Hunt on his claims, as we have no way of proving that he is not doing something else, when handling your specific request.īut I think it is more than fair to say, that haveibeenpwned is a valuable service and Troy Hunt himself is a respected member of the infosec community.īut let's suppose we don't trust Troy: what do you have to lose? You might disclose your email address to him. As with any website, if you're concerned about the intent or security, don't use it. ![]() The site is simply intended to be a free service for people to assess risk in relation to their account being caught up in a breach. How do I know the site isn't just harvesting searched email addresses? Read about why non-sensitive breaches are publicly searchable. Sensitive breaches are also searchable by domain owners who prove they control the domain using the domain search feature. See the Logging section below for situations in which it may be implicitly stored.ĭata breaches flagged as sensitive are not returned in public searches, they can only be viewed by using the notification service and verifying ownership of the email address first. Searching for an email address only ever retrieves the address from storage then returns it in the response, the searched address is never explicitly stored anywhere. This question was explained by Troy Hunt several times on his blog, on Twitter and in the FAQ of
0 Comments
Leave a Reply. |