Hacker News new | ask | show | jobs
by taf2 2193 days ago
You don’t have to send the password to determine if it’s pwned... they have a hashing scheme to determine if a password was in any leaks.

See https://haveibeenpwned.com/API/v3#SearchingPwnedPasswordsByR...
2 comments
laegooose 2193 days ago
How can a regular user validate this? A malicious or compromised site could have same explanations and API page but would actually collect passwords.
link
goda90 2193 days ago
It lets you search based on the first 5 characters of a SHA-1 password hash. So you use a trusted tool on your own computer to hash the password you want to search, and pass in just part of it. You get multiple results, and you can then compare against the hashes yourself to see if yours is in there. There's no way for them to collect your password that way.
link
Yetanfou 2193 days ago
This works, it doesn't send the password or hash to the server:

   #!/bin/bash
   
   baseurl="https://api.pwnedpasswords.com/range/"
   read -s pass
   hash=$(echo -n "$pass"|sha1sum)
   hashhead=${hash:0:5}
   hashtail=${hash:5:35}
   
   curl -s ${baseurl}/${hashhead}|grep ${hashtail^^}
It'll dump the hash and the number of times the given password was found. If the password is not found it won't return anything.
link
E5JBK7UJPT 2193 days ago
You could use the API directly instead of using the webpage.

> GET https://api.pwnedpasswords.com/range/{first 5 hash chars}

The service is only receiving the first 5 hash chars and thus could not collect your password.

Or you could read the javascript code of the page when you visit it.

> var i = sha1(n).toUpperCase(),

> r = i.substring(0, 5);

> $.get('https://api.pwnedpasswords.com/range/' + r).done(function (n) ...

Or you could download the file and check it locally.

link
fudged71 2193 days ago
I suppose someone could build a bare basic UI in something like JsFiddle that is transparently auditable and has crystal clear comments for non-technical people to see what the code does
link
timothy-quinn 2193 days ago
Exactly - but the reactions I saw when he first released Pwned Passwords was "this is a malicious tool, don't give your password to anyone". Even if you're hitting the API from your own service, you need the entire password first to submit the partial hash to the API.

We who understand what's going on know it's perfectly fine, but it's hard to get that message across. Just like the first time you try to explain what a hash is to a non-technical person.

link