loading...

Discussion on: React component for checking pwned passwords

Collapse
imichael profile image
✨iMichael✨

Your intentions are in the right place, but using this component violates end users privacy and reduces security.

Collapse
mxschmitt profile image
Max Schmitt Author

Why? Only the first 5 chars of the sha1 hash will be sent to the server by troy hunt. The comparison is on client side. :)

Collapse
imichael profile image
✨iMichael✨

I realize that, but it's still deceptive and infringing to privacy. Does the user know their data is being sent haveibeenpwned? Do they agree before the data is sent?

Thread Thread
mxschmitt profile image
Max Schmitt Author

Nope, but I don't think that this is the job for this component. But I agree, that the user should know that their data despite that, that the password is very much anonymised send to the server of Have I been Pwned.