
Using Haveibeenpwned (HIBP) in a Corporate Setting? - who-knows95
Hello there, thank you for reading this,<p>i work in a small to median sized IT support business.<p>i&#x27;m the cyber sec junior, and i have been wondering about if i can implement HIBP in a corporate setting.<p>i currently use it to educate staff members on how passwords are breached, and why emails need to be secure, and i know i can use it to scan a domain and find emails linked to breaches and that i can use it as a blacklist for passwords.<p>is there anything else i should think about or look into?<p>thank you.
======
chelmzy
I have a script running weekly that dumps the NTLM hashes from our domain
controller and compares them against the HIBP hash list. It will then
automatically force a password reset on the user's account if found in the
compromised hash list.

You can also subscribe your domain to get email alerts when one of your email
addresses pops up in a new breach.

~~~
who-knows95
AHH that is a brilliant idea, do you have this script posted? i guess, if i
added the password databases to a blacklist it would do the same thing?

i did see that, and i am tempted to test it on some of our clients to see what
the feedback is. i know when i run a few of their emails through they do pop
up in some of the breaches.

kind regards

------
k4ch0w
You can find the password dumps if you are persistent enough with google and
crack the hashes yourself. You can also look into hashes.org. I'd just enforce
strong password rules all around in your domain and for the applications you
build.

~~~
who-knows95
you can download the full password database on the HIBP website on the
passwords page!

[https://haveibeenpwned.com/Passwords](https://haveibeenpwned.com/Passwords)

we do enforce password policies that match best practice, just wondering if
there is more i could do.

