Hacker News new | past | comments | ask | show | jobs | submit login

Yea it would seem like it, and worse you may drive users to adopt a 'less secure' passphrase because the first 5 characters of the hash of their super complex/long passphrase might collide with the first 5 characters of the hash of 'password1', so they may pick a weaker passphrase just to get the system to accept it?



It's intended that you compare the returned full hashes. Otherwise why would the API even return them?

This URL is the entire API. Just change the last parameter to whatever 5 characters you want:

https://api.pwnedpasswords.com/range/aaaaa

Note that the returned hashes omit the first 5 characters, since that would be a waste of resources.

You should also note that ALL possible combinations of 5 characters return at least 300 results. So it doesn't make sense to use this API any other way.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: