[laegooose]

How can a regular user validate this? A malicious or compromised site could have same explanations and API page but would actually collect passwords.

[goda90]

It lets you search based on the first 5 characters of a SHA-1 password hash. So you use a trusted tool on your own computer to hash the password you want to search, and pass in just part of it. You get multiple results, and you can then compare against the hashes yourself to see if yours is in there. There's no way for them to collect your password that way.

[Yetanfou]

This works, it doesn't send the password or hash to the server:

   #!/bin/bash
   
   baseurl="https://api.pwnedpasswords.com/range/"
   read -s pass
   hash=$(echo -n "$pass"|sha1sum)
   hashhead=${hash:0:5}
   hashtail=${hash:5:35}
   
   curl -s ${baseurl}/${hashhead}|grep ${hashtail^^}

It'll dump the hash and the number of times the given password was found. If the password is not found it won't return anything.

[E5JBK7UJPT]

You could use the API directly instead of using the webpage.

> GET https://api.pwnedpasswords.com/range/{first 5 hash chars}

The service is only receiving the first 5 hash chars and thus could not collect your password.

Or you could read the javascript code of the page when you visit it.

> var i = sha1(n).toUpperCase(),

> r = i.substring(0, 5);

> $.get('https://api.pwnedpasswords.com/range/' + r).done(function (n) ...

Or you could download the file and check it locally.

[fudged71]

I suppose someone could build a bare basic UI in something like JsFiddle that is transparently auditable and has crystal clear comments for non-technical people to see what the code does