Your comments

I specifically linked to the V2 API in the original suggestion.

I am always for options/toggles, however to clear up your misunderstanding: The HaveIBeenPwned password check does not work by transmitting the password to their site! (See the linked API documentation) Only the first 5 characters of the hashed password are transmitted and HIBP then returns all the suffix-hashes for known leaked passwords, along with a number indicating how often they've been found in public leaks, allowing you to locally compare those against the full hash of your password. (The method is called k-anonymity and described futher here: ) Neither your password, nor the full SHA-1 hash ever leave your system.

Example: "Password"

SHA-1 hash: 8be3c943b1609fffbfc51aad666d0a04adf83c9d

Returns among others this suffix:


So "Password" has been found in leaks 130999 times, and is not a good password to use.

Example: "tun834v9y8n347mv834yv34"

SHA-1 hash: d896bd51f8362d72e90f00617f16bbbd571e4aa0

Checking for the suffix "d51f8362d72e90f00617f16bbbd571e4aa0" in the returned hashes returns no results, so "tun834v9y8n347mv834yv34" was not found in any leaks (yet). (Would have been a good password... now it no longer is, of course.)

Yes. The PHP library linked from there should be the same one I linked to in the original post. (That github repo also includes examples.)

Not necessarily. Yubico makes U2F compliant keys, but also has their own authentication methods (like the Yubico OTP implementation proposed in the linked feature request). FIDO U2F is an open standard backed by the FIDO alliance ( and thus other manufacturers also make U2F keys. (See Amazon for an example selection:

I do believe most Yubico keys support U2F (at least if this table can be believed ) as they are a big proponent of the standard (which is probably also why they wrote the linked PHP library for it).