Comment by J-Kuhn

8 hours ago

This is a bad idea, for multiple reasons.

https://www.troyhunt.com/here-are-all-the-reasons-i-dont-mak...

5 comments

J-Kuhn

I don't think he meant "show the actual data," I think he meant "what leaked? My name, address, phone number, email, medical records, payment history, bank account number?"

We get a "your private data is now public" email, but knowing exactly what data turns that from a depressing statement on how much corporations value their customers' privacy into something actionable.

J-Kuhn 7 hours ago

This information is shown on the site of the breach, as example: https://haveibeenpwned.com/Breach/BakerDistributing
charcircuit 6 hours ago

Yes, I meant the actual data so you know what leaked. There is a difference between leaking a password 12345678 and leaking a password that was reused on a different site. There is a difference between leaking your actual birthday and leaking 01/01/1900. There is a difference between leaking a fake address, your previous address, and your current address.

charcircuit 6 hours ago

>Most breaches already contain hashed passwords

It could show the hash instead.

>No, it's not ok that these passwords are already out there

So it's better that people have to pay for it instead of getting this information for free?

>Because it's important to say "I don't store passwords in HIBP"

This is a personal choice.

>I'm not your personal lookup service

The idea is that this would be done by the site itself and would not require manual work by the owner.

parable 5 hours ago

Hashes can be cracked, and end users won't understand how to create password hashes to check which one was leaked. Plus, salts exist.
Passwords shouldn't matter anyways. Use a password manager and be done with it. The real issue is metadata which can't easily be changed - phone numbers, addresses, and the like. If any of that data is leaked, it becomes much harder to contain impact. You can't move addresses every time your address gets leaked online.