re: What does it take to create a strong password? VIEW POST

re: We've recently gone through a similar process. Initially, we had almost the exact same approach as shown in your video. While we (nerds) liked it...

Doesn't checking if a password is pwnd require knowing a user's plaintext password? Isn't that a greater security risk?


Good question. Yes, we need to know the plain text password. That's why we can only check the pwned status at signup and login. We never store or log plain text passwords, nor do we send them over a network. Checking with the Pwned API happens by hashing the password and sending just a part of the hash over to Pwned. So the plain text password only exists in memory for the duration of the signup or login request.

Ah OK. I didn't realise you could check the hash at pwnd. That's pretty neat.

Code of Conduct Report abuse