Use Have I Been Pwned API to check for Pwned passwords

Michel Meyers 2 years ago updated 1 year ago 4

Use the HIBP Pwned Password API (with k-anonymity) to check whether passwords being added/edited have been breached before and display a warning if they have.

Documentation on the API is here:


IMO, there should be an option to toggle and disable this, some people(including me) may not want to transmit password to that site.

I am always for options/toggles, however to clear up your misunderstanding: The HaveIBeenPwned password check does not work by transmitting the password to their site! (See the linked API documentation) Only the first 5 characters of the hashed password are transmitted and HIBP then returns all the suffix-hashes for known leaked passwords, along with a number indicating how often they've been found in public leaks, allowing you to locally compare those against the full hash of your password. (The method is called k-anonymity and described futher here: https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ ) Neither your password, nor the full SHA-1 hash ever leave your system.

Example: "Password"

SHA-1 hash: 8be3c943b1609fffbfc51aad666d0a04adf83c9d

Returns among others this suffix:


So "Password" has been found in leaks 130999 times, and is not a good password to use.

Example: "tun834v9y8n347mv834yv34"

SHA-1 hash: d896bd51f8362d72e90f00617f16bbbd571e4aa0

Checking for the suffix "d51f8362d72e90f00617f16bbbd571e4aa0" in the returned hashes returns no results, so "tun834v9y8n347mv834yv34" was not found in any leaks (yet). (Would have been a good password... now it no longer is, of course.)

Well, this was not some 'misunderstanding', it is more like a new feature(V2 API) was rolled out and people are unaware of this, this was a new addition over V1, from the author's own blog:

'Edit 2: The API model described below has subsequently been discontinued in favour of the k-anonymity model launched with V2.'


I specifically linked to the V2 API in the original suggestion.