-3 upvotes, 3 direct replies (showing 3)
View submission: How to keep your Reddit account safe
This is not a safe thing to do. Such site could compromised and you'll add your pass to someone's database.
Comment by Traches at 06/05/2019 at 20:15 UTC
3 upvotes, 0 direct replies
Copy-pasting a comment I made on another sub to explain why the HIBP password checker in particular is safe, and a way for you to do it manually if you're feeling more nerdy/paranoid:
It's safe because it never sends your password anywhere. It makes a SHA1 hash of your password, sends the first few characters of that hash, and receives a list of all the hashes which match those characters (which will generally be a few hundred matches), and then your browser picks out the correct one and shows it to you.
If you don't trust the website, you can do the same process yourself:
1. Use an open source tool you trust to create a SHA1 hash of the password you want to test.
2. In a web browser, go to https://api.pwnedpasswords.com/range/(first%C2%A05%C2%A0characters%C2%A0of%C2%A0your%C2%A0hash[1])
3. Find the rest of your hash in the list, the number after the colon is the number of instances found. If it's not in the list, that's good news! You haven't been pwned.
Example:
1: https://api.pwnedpasswords.com/range/(first%C2%A05%C2%A0characters%C2%A0of%C2%A0your%C2%A0hash
Using a command line tool, the SHA1 hash of 'password' is 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
So we navigate to:
https://api.pwnedpasswords.com/range/5baa6
And in that list we find the entry that starts with 1e4c9b...., and look after the colon to find that it's been used 3645804 times and is therefore probably not a very good password.
Comment by pm-me_your_vimrc at 06/05/2019 at 18:18 UTC
3 upvotes, 0 direct replies
This website uses a k-anonymity[1] process, in such a way that you don't have to send the plain text password but just a small part of his sha hash in order to know if it has been found in a databreach. The website never knows the passwords you are testing. Besides that, you can always download the full database from haveibeenpwned so that you don't have to rely on external services
1: https://en.m.wikipedia.org/wiki/K-anonymity
Comment by fdebijl at 06/05/2019 at 18:20 UTC
4 upvotes, 1 direct replies
This **is** a safe thing to do, as the HIBP API uses k-Anonimity[1] to circumvent having to send the plain-text password.
1: https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/