Safe password checker

Why is this safe?

This uses haveibeenpwned.com's API server, to see if your password has been leaked. This webpage uses HaveIBeenPwned's range query so that HaveIBeenPwned never knows what password you're interested in. The technical details are interesting, but the short version is this:

  1. Your browser hashes your password, so hunter2 turns into f3bbbd66a63d4bf1747940578ec3d0103530e21d
  2. The first 5 characters, f3bbb are sent to HaveIBeenPwned's webserver
  3. HaveIBeenPwned returns a list of all password hashes that start with f3bbb - in this case, 497 hashes.
  4. Your browser checks to see if the remainder of your hash, d66a63d4bf1747940578ec3d0103530e21d, is in the returned list. If so, your password has been breached. Otherwise, you're good to go.

Couldn't you just be stealing my password yourself?

Good point. Any malicious page on the internet could steal literally anything you type in on that page. This webpage's javascript has been written with a goal of readability - The only data sent to any server is done in script.js, in the function queryHash(). I encourage anybody interested to read through the source code. No javascript or other resources are fetched from another server when you load the page, so a malicious actor can't compromise another site to steal your data from this page.

This website was created with The Beaker Browser.