top | item 20462170

(no title)

But... will mozilla or the people behind haveibeenpwned know I am using a pwned password? Basically, by checking if you are under risk, do you leak info to 3rd parties that can be used against you, before having the opportunity to protect yourself? Is there any info aobut the near-zero knowledge protocol somewhere? It's a fascinating topic for sure.

discuss

justusthane|6 years ago

Nope. Read the section on k-anonymity here: https://www.troyhunt.com/were-baking-have-i-been-pwned-into-...

Essentially, the client hashes the password and then only sends the first 5 characters of the hash to HIBP. HIBP then returns the hashes of every password whose hash begins with the same characters (approx 477 matches, according to the article), and then it's up to the client to determine if there's a match.

prepend|6 years ago

I like the approach reduces the risk, but this isn’t sufficient for me to actually trust a third party. The article calls out an example where the five character hash prefix has 477 matches in the password file.

That’s a ridiculously small number of possible values for a powerful actor trying to crack a password.

drexlspivey|6 years ago

No they don't. The browser hashes the password, then sends the first 5 hex digits of the hash to haveibeenpwned. HIBP replies with all the hashes of leaked passwords that start with these 5 digits and the browser then checks to see if the hash is in the list.

tialaramex|6 years ago

Search for Pwned Passwords k-anonymity for a description of how this works technically.

No, only you (well, your computer) knows if your password was found.