When registering, we offer users an option to verify the security of their password. We do this by utilizing the Have I Been Pwned's “Pwned Passwords” API, which contains SHA-1 hashes of passwords found in public (and sometimes private) database breaches. This is entirely optional, and we do not force users to register with passwords that have not been found in these breaches. However, we do very strongly recommend that you utilize this feature. At the time of writing, we currently have almost 80,000 users and we frequently see users have their accounts breached due to using insecure passwords. Below, you'll find a step by step process on how we verify the security of your password.
First, we hash the user's password into SHA-1 (don't worry, we don't use this for storing passwords in our database as SHA-1 is insecure for such a task), and we provide the first 5 characters (prefix) of that hash to the Pwned Passwords API. For example, a SHA-1 hash of “password” would be 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8. We take the prefix of this hash and query the aforementioned API like so:
https://api.pwnedpasswords.com/range/5BAA6
You can visit the above URL to see an example response.
The response from Pwned Password contains a list of password hashes in which the prefix matches the one we provided to it. The hashes in the response have the prefix truncated. Some example responses look like this:
003CD215739D7C1B2218670D26F81408237:1
003D68EB55068C33ACE09247EE4C639306B:4
012C192B2F16F82EA0EB9EF18D9D539B0DD:3
1E4C9B93F3F0682250B6CF8331B7EE68FD8:9636205
The responses are the rest of the hash with the number of times that hash has been seen in a database breach. This is delimited by a colon (":").
We then take the last 5 characters of the user's password hash (suffix) and search the Pwned Passwords response for a password hash in which the suffix matches that of the user's provided password. You may have noticed that in the above response, the hash 1E4C9B93F3F0682250B6CF8331B7EE68FD8:9636205 provides us with a match. Not only does the prefix match, but the suffix matches as well. From here, we reject the user's registration if they're verifying password integrity.
Have I Been Pwned uses the k-Anonymity model, which means that they do not need to be provided the user's full password for us to be able to check for matches. As you can see above, we only need to provide the prefix, and we do the rest based on the response provided.
In summary, this is just another feature we use to help users be secure on our service. We strongly recommend that you use it if you wish to be just that little bit more secure when it comes to your online accounts.