Use Have I Been Pwned API to check for Pwned passwords
Michel Meyers 4 years ago • updated 4 years ago • 4
Use the HIBP Pwned Password API (with k-anonymity) to check whether passwords being added/edited have been breached before and display a warning if they have.
Documentation on the API is here:
Customer support service by UserEcho
IMO, there should be an option to toggle and disable this, some people(including me) may not want to transmit password to that site.
I am always for options/toggles, however to clear up your misunderstanding: The HaveIBeenPwned password check does not work by transmitting the password to their site! (See the linked API documentation) Only the first 5 characters of the hashed password are transmitted and HIBP then returns all the suffix-hashes for known leaked passwords, along with a number indicating how often they've been found in public leaks, allowing you to locally compare those against the full hash of your password. (The method is called k-anonymity and described futher here: https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ ) Neither your password, nor the full SHA-1 hash ever leave your system.
SHA-1 hash: 8be3c943b1609fffbfc51aad666d0a04adf83c9d
API URL: https://api.pwnedpasswords.com/range/8be3c
Returns among others this suffix:
So "Password" has been found in leaks 130999 times, and is not a good password to use.
SHA-1 hash: d896bd51f8362d72e90f00617f16bbbd571e4aa0
API URL: https://api.pwnedpasswords.com/range/d896b
Checking for the suffix "d51f8362d72e90f00617f16bbbd571e4aa0" in the returned hashes returns no results, so "tun834v9y8n347mv834yv34" was not found in any leaks (yet). (Would have been a good password... now it no longer is, of course.)
Well, this was not some 'misunderstanding', it is more like a new feature(V2 API) was rolled out and people are unaware of this, this was a new addition over V1, from the author's own blog:
'Edit 2: The API model described below has subsequently been discontinued in favour of the k-anonymity model launched with V2.'
I specifically linked to the V2 API in the original suggestion.