+8

Use Have I Been Pwned API to check for Pwned passwords

Michel Meyers 5 months ago updated 1 week ago 4

Use the HIBP Pwned Password API (with k-anonymity) to check whether passwords being added/edited have been breached before and display a warning if they have.

Documentation on the API is here:

https://haveibeenpwned.com/API/v2#SearchingPwnedPasswordsByRange

IMO, there should be an option to toggle and disable this, some people(including me) may not want to transmit password to that site.

I am always for options/toggles, however to clear up your misunderstanding: The HaveIBeenPwned password check does not work by transmitting the password to their site! (See the linked API documentation) Only the first 5 characters of the hashed password are transmitted and HIBP then returns all the suffix-hashes for known leaked passwords, along with a number indicating how often they've been found in public leaks, allowing you to locally compare those against the full hash of your password. (The method is called k-anonymity and described futher here: https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ ) Neither your password, nor the full SHA-1 hash ever leave your system.

Example: "Password"

SHA-1 hash: 8be3c943b1609fffbfc51aad666d0a04adf83c9d
API URL:
 https://api.pwnedpasswords.com/range/8be3c

Returns among others this suffix:

943B1609FFFBFC51AAD666D0A04ADF83C9D:130999

So "Password" has been found in leaks 130999 times, and is not a good password to use.

Example: "tun834v9y8n347mv834yv34"

SHA-1 hash: d896bd51f8362d72e90f00617f16bbbd571e4aa0
API URL:
 https://api.pwnedpasswords.com/range/d896b

Checking for the suffix "d51f8362d72e90f00617f16bbbd571e4aa0" in the returned hashes returns no results, so "tun834v9y8n347mv834yv34" was not found in any leaks (yet). (Would have been a good password... now it no longer is, of course.)

Well, this was not some 'misunderstanding', it is more like a new feature(V2 API) was rolled out and people are unaware of this, this was a new addition over V1, from the author's own blog:

'Edit 2: The API model described below has subsequently been discontinued in favour of the k-anonymity model launched with V2.'

https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/

I specifically linked to the V2 API in the original suggestion.