[rincebrain]

You're either not reading the "how this protects your password" link that's on top of the page or claiming it's wrong. [1]

It sends the first N characters of the SHA1 hash of the password you provided to the server, the server replies with all the hashes it knows with that prefix, and then the client-side JS compares it to the rest of the hash it has.

If you don't believe me, you can look at the request said site issues for some arbitrary string - it's just the first 5 characters of the SHA1 hash, and the response from the server is as I (and that link) describe.

[1] - https://www.troyhunt.com/ive-just-launched-pwned-passwords-v...

[sliken]

So you are trusting the HTML/CSS and javscript downloaded from troyhunt.com with your plaintext password? Not to mention various bits from cloudflare.com, and other places.

There's some code that page uses: http://az416426.vo.msecnd.net/scripts/a/ai.0.js

Note the lack of https.

You are going to trust a page with that code with your important passwords?

Sure it claims to anonymize it first, but most don't know enough code to verify it themselves.

Much like trusting curl https://whatever.com | sudo /bin/bash

Crazy.

[romellem]

If you are that distrusting, then do the SHA1 conversion yourself. It isn't that complicated:

  sha1=$(echo -n 'happy123' | tr -d '\n' | openssl sha1)
  result=$(curl https://api.pwnedpasswords.com/range/${sha1:0:5} 
    2>/dev/null | grep $(echo ${sha1:5:35} | tr '[:lower:]' '[:upper:]'))
  echo "Count: ${result#*:}"

With that, I can see that the password 'happy123' has been "pwn'd" 70,617 times.

[rincebrain]

So your claim has gone from "it uploads the password to the server" to "you trust unverified Javascript".

No, I don't have any particular reason to trust it.

I was just pointing out that the claim you made was inaccurate.

[sliken]

Well it does, if you have javascript off, from the source (page says "If you submit a password in the form below, it will not be anonymised first")

Troy seems to have a fine reputation, but I don't want to trust the crown jewels (my passwords to everything) on Troy's reputation, the security of his site, cloudflare, and random javascript bits hosted in various places.

So sure the design and explanation of the page is that passwords are not uploaded. But since I can't practically verify that myself, I wouldn't upload passwords there. What's worse is even if I could audit every line of code, I couldn't guarantee other people wouldn't get a malicious version of the site.

So generally saying "Sure, type your password into a form on this webpage, I found an explanation that says it's not uploading it." is a very bad idea.

There's similarly plausible pages for things like generating SSL certs (not just CSRs), ssh keys, generating passwords for you, and similar that often have reassuring explanations that their security is just fine.

So generally never put your private key or plaintext password where a random 3rd party might read it. The promise that some anonymization process will be applied should not be enough to get you to risk it.

This reminds me of: http://bash.org/?244321

[rincebrain]

Please stop inventing claims to disagree with.

I claimed your initial unqualified statement, that it uploaded your password, was inaccurate, with both an explanation of what it was doing and the claim that I had not seen any evidence of it doing anything else.

I did not claim the site was not vulnerable to MITM or other injection attacks.

I did not claim you should trust this or any other resource with your password or any other data.