[timothy-quinn]

I've always found HIBP in this funny conflicting situation - on hand you should never provide your email or password to a 3rd party service because it's probably malicious, but on the other hand in HIBP's case it's very evidently not malicious, so it's totally fine. But it's evident only if you follow Troy for a while to see what he's doing.

I think it's a good study in game theory at the least.

[taf2]

You don’t have to send the password to determine if it’s pwned... they have a hashing scheme to determine if a password was in any leaks.

See https://haveibeenpwned.com/API/v3#SearchingPwnedPasswordsByR...

[laegooose]

How can a regular user validate this? A malicious or compromised site could have same explanations and API page but would actually collect passwords.

[goda90]

It lets you search based on the first 5 characters of a SHA-1 password hash. So you use a trusted tool on your own computer to hash the password you want to search, and pass in just part of it. You get multiple results, and you can then compare against the hashes yourself to see if yours is in there. There's no way for them to collect your password that way.

[Yetanfou]

This works, it doesn't send the password or hash to the server:

   #!/bin/bash
   
   baseurl="https://api.pwnedpasswords.com/range/"
   read -s pass
   hash=$(echo -n "$pass"|sha1sum)
   hashhead=${hash:0:5}
   hashtail=${hash:5:35}
   
   curl -s ${baseurl}/${hashhead}|grep ${hashtail^^}

It'll dump the hash and the number of times the given password was found. If the password is not found it won't return anything.

[E5JBK7UJPT]

You could use the API directly instead of using the webpage.

> GET https://api.pwnedpasswords.com/range/{first 5 hash chars}

The service is only receiving the first 5 hash chars and thus could not collect your password.

Or you could read the javascript code of the page when you visit it.

> var i = sha1(n).toUpperCase(),

> r = i.substring(0, 5);

> $.get('https://api.pwnedpasswords.com/range/' + r).done(function (n) ...

Or you could download the file and check it locally.

[fudged71]

I suppose someone could build a bare basic UI in something like JsFiddle that is transparently auditable and has crystal clear comments for non-technical people to see what the code does

[timothy-quinn]

Exactly - but the reactions I saw when he first released Pwned Passwords was "this is a malicious tool, don't give your password to anyone". Even if you're hitting the API from your own service, you need the entire password first to submit the partial hash to the API.

We who understand what's going on know it's perfectly fine, but it's hard to get that message across. Just like the first time you try to explain what a hash is to a non-technical person.