5 characters- collision

pathfinder76
pathfinder76
Community Member

i know 1password used haveibeenpwned.

according the website "When you search Pwned Passwords
The Pwned Passwords feature searches previous data breaches for the presence of a user-provided password. The password is hashed client-side with the SHA-1 algorithm then only the first 5 characters of the hash are sent to HIBP per the Cloudflare k-anonymity implementation. HIBP never receives the original password nor enough information to discover what the original password was."

But if it only compares the first 5 characters, isnt there a great deal of collision, so just because it says my password was listed, does not mean it was pawned


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

Comments

  • jvosk
    jvosk
    Community Member

    @pathfinder76 probability of a collision on the first 5 hex characters of a SHA-1 hash is 16^-5 or ~1 in 1 million. If haveibeenpwned says there's a collision, best to assume yes, you have been pwned.

  • Tertius3
    Tertius3
    Community Member
    edited January 2023

    @pathfinder76 You didn't read the complete password checking description. The first 5 characters of the hash are sent to HIBP, then HIBP sends back every hash known from some breach that starts with these 5 characters. As far as I remember, it's about 5-30 hashes you're getting this way. This is then checked by some Javascript locally in your browser, and if one of these hashes match, it's reported. HIBP doesn't get notified which of the hashes actually matched or whether one matched at all.

  • pathfinder76
    pathfinder76
    Community Member

    thanks for the explaination, that makes more sense.

    so is it "safer" to use HIBP via watchtower in 1pwd, or directly via the website?

    by safer , i mean the lowest probability of a bad actor or an accident giving someone your password

  • Tertius3
    Tertius3
    Community Member

    It's equally safe. In no case the password is transmitted. I guess more foolproof is the indirect use via watchtower, because it's checking your whole password store and not just one password, and since you don't copy+paste passwords into some input field, it cannot happen you accidentally paste it to where it doesn't belong.

  • pathfinder76
    pathfinder76
    Community Member

    when 1password sends info, it seems more "anonymously" to the hibp website, versus coming directyly from the user is is also using the password.

    is that valid

This discussion has been closed.