
Using Have I Been Pwned to Prevent Your Users from Using Breached Passwords - caseysoftware
https://developer.okta.com/blog/2018/06/11/how-to-prevent-your-users-from-using-breached-passwords
======
craftyguy
OT: why does this website "need" javascript just to display _any_ article
text?

------
joombaga
> Secure: no passwords are ever stored or shared over the network. PassProtect
> uses k-Anonymity which means that the only thing that is sent over the
> network are the first 5 characters of the password hash

I haven't heard of k-Anonymity, so maybe I'm misunderstanding, but wouldn't
there be a high rate of collision if you're only testing 5 characters? Seems
like you'd match a lot of uncompromised hashes.

~~~
craftyguy
Yea it would seem like it, and worse you may drive users to adopt a 'less
secure' passphrase because the first 5 characters of the hash of their super
complex/long passphrase might collide with the first 5 characters of the hash
of 'password1', so they may pick a weaker passphrase just to get the system to
accept it?

~~~
jazoom
It's intended that you compare the returned full hashes. Otherwise why would
the API even return them?

This URL is the entire API. Just change the last parameter to whatever 5
characters you want:

[https://api.pwnedpasswords.com/range/aaaaa](https://api.pwnedpasswords.com/range/aaaaa)

Note that the returned hashes omit the first 5 characters, since that would be
a waste of resources.

You should also note that ALL possible combinations of 5 characters return at
least 300 results. So it doesn't make sense to use this API any other way.

------
ry_ry
A few years ago I added a featuregg to the site I worked on at the time, where
it would reject correcthorsebatterystaple as a password with an error message
acknowledging their impeccable taste and a link to a relevant xkcd.

At some point they made a number and a special character a requirement in the
password and the code was either stripped (or still sat there and never
triggered). The irony isn't entirely lost on me.

