[commitpizza]

I pay for my email that gives me a lot of aliases and most of them have not been pwned yet. So with his tool I would be flagged as a bot. Honestly, doesn't sound like a great idea to be frank.

There must be large swaths of people that have either been careful or have specific emails that they use for certain purposes that haven't been pwned.

The question, what should happen if I haven't been pwned? Should I not be able to purchase the thing or would I face some annoying captcha?

I like Troy Hunt, but this idea penalize people with good habits and that is just something I can't support.

[remram]

This also seems to fast-track stolen accounts, by design. What a weird idea.

[rippercushions]

It's not his idea, he's saying that there are people out there who are already (mis)using the data for this.

[jtvjan]

Sort of. He does encourage this use-case in the final paragraph.

> Applying "Pwned or Bot" to your own risk assessment is dead simple with the HIBP API and hopefully, this approach will help more people do precisely what HIBP is there for in the first place: to help "do good things after bad things happen".

[taco_emoji]

Yeah it seems clear to me that he's recommending it to be one portion of a risk assessment for a given email address.

[mike_d]

This is a common investigative technique that predates HIBP, however more people are starting to automate it now (using non-HIBP datasets). I think this combined with the new request-based pricing on the HIBP API implies he just wants to make some money off being the quick to implement 75% solution.

[Semaphor]

Edit: I misunderstood Troy.

Original comment:

No, it doesn't penalize them (at least not his idea, implementations might), it simply fast tracks pwned emails and doesn't apply the normal bot checks that would otherwise apply to everyone.

[cobertos]

That's not how he's suggesting it would work. All checks would normally be applied to build a "how human are you" or "humanness" score. He's suggesting a pwned email test and arguing it would be a good signal for "humanness". The implementation might not make it an explicit penalty (-1 to your "humanness" score), but not being pwned might not help your case (+1 if you are pwned, but +0 if you're not).

[TheCleric]

Yeah it would definitely be good to integrate it into a Bayesian approach where it is mixed with other factors to generate a % chance of being human vs. bot.

[vachina]

I wonder how many pwned email and password pair still match. Crooks can take control of these pwned accounts and pretend to be trustworthy.

[micahdeath]

It depends on the risk. I have an account that was pwnd (with the same password) but there is no risk to me as there isn't anything useful in that account (not even a DoB, Address or even a Name.) Worse case, someone changes the password and locks me out. Then I'll create another account as it's not a big deal.

[jcuenod]

The point would not be that it's a threat to you (though it may be), it's that compromised accounts (like one you don't care about) are a threat to an ecosystem that can't identify whether a "user" is a human or a bot.

That is, your compromised account could be used in an attack and it would look like a human.

[Mikealcl]

I agree, but cats out of the bag.