this post was submitted on 12 Jul 2025
166 points (94.6% liked)
Fuck AI
3449 readers
1527 users here now
"We did it, Patrick! We made a technological breakthrough!"
A place for all those who loathe AI to discuss things, post articles, and ridicule the AI hype. Proud supporter of working people. And proud booer of SXSW 2024.
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this is basically
“see if your credit card has been hacked by entering it below!“
I get the same vibes from https://haveibeenpwned.com/Passwords
I know the site is made by a security researcher but still. It doesn't feel completely safe to give then my passwords.
Except you’re not
https://haveibeenpwned.com/API/v3#PwnedPasswords
Your computer is basically sending a part of your password (the first five characters) and if the server responds positively to a match it sends all the other possible combinations and your computer looks to see if it matches the rest based on when you typed.
For more information
https://en.wikipedia.org/wiki/K-anonymity
It’s always good to be cautious, but it’s especially important to know how tech works, especially good tech, when it can have immense benefit
That is the correct way of thinking, never trust anything with your passwords.
I was curious on what haveibeenpwned does, so I took a look at what the network tab in dev tools said what was actually sent. When I type a password (say password123) and press check it runs a function that hashes with the "SHA-1" hash function and then sends the first 5 characters of the result. The response is over a thousand lines in the format of
35 hash characters:number of breachesIf any of these hashes are the start of your original hash, you now know it's exposed and how many times it's been exposed.
While I get your concern. I, and loads of other nerds, trust them.
I wouldn't recommend providing any current passwords, but it could be used to determine any recent/previous compromises.