Using Haveibeenpwned (HIBP) in a Corporate Setting?

3 points by who-knows95 ↗ HN
Hello there, thank you for reading this,

i work in a small to median sized IT support business.

i'm the cyber sec junior, and i have been wondering about if i can implement HIBP in a corporate setting.

i currently use it to educate staff members on how passwords are breached, and why emails need to be secure, and i know i can use it to scan a domain and find emails linked to breaches and that i can use it as a blacklist for passwords.

is there anything else i should think about or look into?

thank you.

4 comments

[ 13.7 ms ] story [ 69.8 ms ] thread
I have a script running weekly that dumps the NTLM hashes from our domain controller and compares them against the HIBP hash list. It will then automatically force a password reset on the user's account if found in the compromised hash list.

You can also subscribe your domain to get email alerts when one of your email addresses pops up in a new breach.

AHH that is a brilliant idea, do you have this script posted? i guess, if i added the password databases to a blacklist it would do the same thing?

i did see that, and i am tempted to test it on some of our clients to see what the feedback is. i know when i run a few of their emails through they do pop up in some of the breaches.

kind regards

You can find the password dumps if you are persistent enough with google and crack the hashes yourself. You can also look into hashes.org. I'd just enforce strong password rules all around in your domain and for the applications you build.
you can download the full password database on the HIBP website on the passwords page!

https://haveibeenpwned.com/Passwords

we do enforce password policies that match best practice, just wondering if there is more i could do.