Free k-Anonymity Breach Protocol

The Problem with Checking Passwords

You want to know if your password was leaked in a past data breach. But if you type your password into a website to check, you are handing that site your password. Even if the transmission is encrypted, the receiving server learns your credential.

The k-Anonymity Solution

k-Anonymity allows you to query a massive database (like HaveIBeenPwned) while blending your request into a crowd. First, your browser hashes your password locally using SHA-1. It then takes only the first 5 characters of that 40-character hex hash and sends them to the API.

Local Resolution

The API responds with hundreds of thousands of password hash suffixes that happen to start with those same 5 characters, along with their breach counts. Your browser then performs a fast, local check to see if the remaining 35 characters of your hash exist in that downloaded list. To check k-anonymity password safe offline pwned database means the API operator learns absolutely nothing about your actual password.