haveibeenpwned.com compares locally or send to remote host?

vadimm
vadimm
Community Member

Hello 1Password Community,

There is a nice feature in 1Password - an integration with haveibeenpwned.com. Could someone please clarify how it works? It is not crystal clear from the description, it is very confusing. Take a look:

1Password ... sends only the first five characters of each hash to the Pwned Passwords service

the next sentence:

1Password compares them locally on your device

Locally? What? You've just said it sends to the Pwned Passwords service
the next sentence:

Only the first five characters of each hash leave your device

Leave? You've just said "1Password compares them locally on your device"

So, looks like pieces of information do not match each other. I would be happy if someone could sort this out.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • MrC
    MrC
    Volunteer Moderator
    edited January 2022

    @vadimm

    The first 5 chars of the hash are sent. The service replies with a list of all the hashes of breached passwords that match those first five chars. The client can then compare its local hash of the full password against that list. If there is a match, the password is on the remote list. Otherwise, it cannot be.

    https://haveibeenpwned.com/API/v3#PwnedPasswords

  • vadimm
    vadimm
    Community Member
    edited January 2022

    Thank you @MrC!
    Somehow I didn't come up with the idea of reading haveibeenpwned.com documentation.
    Now it's very clear.

  • On behalf of MrC, you're very welcome @vadimm! :smile:

This discussion has been closed.