-
-
Notifications
You must be signed in to change notification settings - Fork 4
Home
StellarSand edited this page May 27, 2024
·
2 revisions
- When you input your password in the app, a SHA-1 hash is generated locally on your device.
- A k-anonymity model is used, so only the first 5 characters from the generated hash is sent to Have I Been Pwned?.
- This way, the site can't know which hash values are being queried, significantly enhancing privacy.
- HIBP receives the partial hash and provides a list of all hashes matching the first 5 characters.
- The app then matches the remaining characters of the generated hash with the received results, locally on your device.
- Based on this, the app calculates and displays the results, indicating whether your password has been compromised in any known breaches.
sequenceDiagram
autonumber
App->>App: Enter password
App->>App: Generate SHA-1 hash
App->>HIBP: First 5 characters of the generated hash
activate HIBP
HIBP-->>App: List of all hashes matching the first 5 characters
deactivate HIBP
App->>App: Match the remaining characters<br/>of the generated hash with the list
App->>App: Display results