5 characters- collision
i know 1password used haveibeenpwned.
according the website "When you search Pwned Passwords
The Pwned Passwords feature searches previous data breaches for the presence of a user-provided password. The password is hashed client-side with the SHA-1 algorithm then only the first 5 characters of the hash are sent to HIBP per the Cloudflare k-anonymity implementation. HIBP never receives the original password nor enough information to discover what the original password was."
But if it only compares the first 5 characters, isnt there a great deal of collision, so just because it says my password was listed, does not mean it was pawned
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided