Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The very passwords:

"k-anonymity" model which works like this: when searching HIBP for a password, the client SHA-1 hashes it then ... sends this to the API.

https://www.troyhunt.com/were-baking-have-i-been-pwned-into-...



According to the description in the linked article, only the first 5 characters of the hash of the password are sent to the API (and that API is not publicly available in the first place, apparently, but can only be accessed via Mozilla or 1Password's own APIs).

What exactly appears to be the problem?

The reasoning for this feature is clearly laid out, and the underlying "ethics of running a database breach search service", while controversial, are also something Troy has thought about very carefully:

https://www.troyhunt.com/the-ethics-of-running-a-data-breach...


> What exactly appears to be the problem?

My trusted browser should not send out any sensitive information.


Yeah, but that's not sensitive information.


You'd be surprised ... :)


... yes, I would be surprised if the SHA1 of the first 5 chars of a password was sensitive. If I'm missing something, please share.


This implementation has no value to potential attackers. Anything it could -if it could- help you with, you can already do without it.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: