How to Check Breached Passwords Safely Using HIBP's k-Anonymity Method
Have I Been Pwned (HIBP) offers a privacy-preserving way to check whether a password has appeared in known data breaches without exposing the password itself. The technique, called k-anonymity, works by sending only the first five characters of a password's SHA-1 hash to HIBP's API, which returns hundreds of matching hash suffixes for local comparison. Because the server never receives the full hash or the original password, neither HIBP nor any network observer can determine which specific password was queried. The final match is performed entirely in the user's browser or application, keeping the credential private throughout the process. HIBP's database currently covers over 900 million breached credentials, and the API requires no authentication key, making it straightforward to integrate into signup or login flows.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in