[diminoten]

Sorry, but the cat is out of the bag. HIBP is evening the playing field, making the data less valuable to those who have the skills to collect it.

It's the same thing as responsible/full disclosure; by making this information available to anyone (publish a vulnerability), you greatly reduce the power of those who have the skills to collect it anyway (the person who found the 0day).

So yes, this information needs to be available, or it'll only be some people who have it, not none, and those few people who do have it will be 10x stronger than they are now.

This is the old Antisec debate all over again, let's skip to the part where we end up agreeing generally that disclosure is better, okay? No need to relive 2009 or whatever.

[nwah1]

"Disclosure" could mean many things. The idea of providing the info directly via email to the affected user seems to adequately disclose things to the relevant parties.

Are there additional benefits of the public api that on balance benefit the public more than attackers?

[diminoten]

Yeah, the availability of the data being common rather than rare, so the skill of collecting that data doesn't create a power structure where only the hackers/skilled users have power.

Imagine it being $500/month to access HIBP, because that's the alternative, not some, "everyone agrees to only use this info for good".

[jtbayly]

Explain to me how anybody besides myself can use info about my leaked account for something good or useful.

I can’t think of an example.

Therefore, having that info cost more is better. Having it cost a lot more is a lot better. (I’m assuming I can still get access for free by having provided directly to my email address.)

[diminoten]

What? No, you're not understanding. Even if no one but you could use this info legitimately, the fact that it's widely available depowers the people who have the skills to collect it (specifically, people who want to do you harm).

By virtue of the fact that this info is widespread, you have no choice but to take actions to protect yourself from this information. That means the information becomes useless.

You are, in a way, being shamed into acting, through public disclosure. So no, having that info cost is not more better, it's more worse.

Furthermore, it is not an option to only let you have this information. That ship sailed when the breaches happened. You don't get access to this information for free, you don't get to control the dissemination of this information, you are powerless. You're acting like HIBP is the only way people can find this info out; it's not. That $500 price tag is just for you. People who are more skilled than you or I at collecting this info get it for free, and that's never going away.

[jtbayly]

You can’t have it both ways. Either it’s widely available, or it isn’t.

If it’s already widely available then HIBP doesn’t accomplish anything. (It doesn’t anyway, since it doesn’t “shame” anybody except people who are already signed up, who only need and get their own info.) If it isn’t widely available then HIBP is helping people who are bad at collecting and using this information to do so.

We accept that from bug reports only because of the other benefits that come from releasing the info.

[diminoten]

You're not getting that the alternative is much worse.

Your data is out there. Period. The end. You don't have control over that. All you're doing is trying to re-establish control over data you already lost.

The question now is, do you want it only in the hands of people who want to harm you, or do you want it in the hands of both people who want to harm you as well as people who want to help you?

You seem to only want bad guys to have your data. That's weird.

[bfdm]

A service provider could check the API for the signup email and if previously compromised could challenge the signup with additional CAPTCHA steps to detect bot activity. They could check email+PW entered against leaked pairs and prevent you from registering with a known-compromised PW.

Your bank could check emails attached to customer accounts and work with affected customers to ensure their bank account access is secure.

You employer could check for leaks of accounts using corporate domains. They could check leaked passwords against known last 5 to see if there are active threats.