Use of GhostProject to accumulate credentials in a safe(ish) manor - Enhancement

[mrdavi5]

Just a suggestion, the use of GhostProject.fr to query collected email addresses to retrieve part hashed passwords to add to the information database.

[bcoles]

It seems like a good idea, but I'm not sure about the quality of the data and its usefulness. There's also a privacy concern.

It would be great to search for *@domain, which GhostProject supports, but limited test searches with prominent domains revealed no results. Comparatively, there are a lot of results for common mail providers, such as *@gmail.com, but searches of this type are better suited for querying the exact email address. Taking this approach will result in a lot of queries (one per address), and each query is rarely likely to result in a match, and even if a match is found, the password is mostly redacted (unless you donate). On the other hand, it's possible to infer a portion of the password based on what is displayed, which is nice, and it's nice to know the email address is in the dump.

[mrdavi5]

agreed, I didnt think it would be a great Idea to get full email/password responses. It was more aimed at the sense of a company using this tool itself to uncover any potential breaches from employees with a bit more detail than HIBP. I also took the assumption of only targeting GhostProject with the exact email addresses, this would then also overcome the issue with companies using @gmail.com. Perhaps there is another source for this.