Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

HaveIBeenPwned has been around for ages and it does not send your password to the server - you can check it with the browser console. It hashes it, sends a range of the hash to the server, server replies with a list of hashes that match that range and it's checked locally for a match.


Still, I would not trust that. The password could be leaked through other means, for example by setting a timer, and exfiltrating fragments of it across future requests.

The website loads some external fonts and spits out many warnings in the console by default. Does not instill confidence in the truly paranoid hacker.


You can hash yourself and check against the api with 5 lines of python


That level of care is warranted, but you'll find that you are given the tools to audit and it will pass.


You can check it yourself by looking up the hash prefix and searching for your hashed password.


Man, there's a ton of non-obvious ways they could exfiltrate that. I'm not going to read their code.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: