undefined | Better HN

0 pointsTheMaskedCoder3y ago0 comments

> you transmit 5 characters of the SHA1 hash of the email address

You don't use email addresses at all with Pwned Passwords. The documentation says "first 5 characters of a SHA-1 password hash", not email-address hash.

HIBP does not have a way to search for which password hashes are associated with a given email address, as this would be far more useful to attackers than to victims. The only data that Pwned Passwords exposes is a list of password hashes and the number of times that hash was used. The expectation is that even if that leaked password was actually for someone else's account, you still shouldn't be using it.

0 comments

jeroenhd3y ago

Whoops, you're right, got the API confused. You can't just search for email addresses.

Still, though, you can implementtthis check every time someone logs in (and the password is transfered over the wire) which should catch most bad passwords/password reuse cases.

j / k navigate · click thread line to collapse

0 comments

jeroenhd3y ago

Whoops, you're right, got the API confused. You can't just search for email addresses.

Still, though, you can implementtthis check every time someone logs in (and the password is transfered over the wire) which should catch most bad passwords/password reuse cases.

j / k navigate · click thread line to collapse