Hacker News new | past | comments | ask | show | jobs | submit login

If you have JavaScript enabled, the cleartext password is hashed in the browser and the hash is truncated, and a list based on the truncated hash is retrieved to be checked against - the only information leaked is that you searched for one password amongst many. Read Troy's articles about how fishing is protected against - I have written the above from memory.

You can download all the hash files if you wish to run purely locally.

Also the site hosting Troy's list is Cloudflare. Cloudflare act as a https proxy for a large number of sites, so they already have access to a large number of passwords.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact