Good question. Yes, we need to know the plain text password. That's why we can only check the pwned status at signup and login. We never store or log plain text passwords, nor do we send them over a network. Checking with the Pwned API happens by hashing the password and sending just a part of the hash over to Pwned. So the plain text password only exists in memory for the duration of the signup or login request.
Doesn't checking if a password is pwnd require knowing a user's plaintext password? Isn't that a greater security risk?
Good question. Yes, we need to know the plain text password. That's why we can only check the pwned status at signup and login. We never store or log plain text passwords, nor do we send them over a network. Checking with the Pwned API happens by hashing the password and sending just a part of the hash over to Pwned. So the plain text password only exists in memory for the duration of the signup or login request.
Ah OK. I didn't realise you could check the hash at pwnd. That's pretty neat.