re: React component for checking pwned passwords VIEW POST

re: Your intentions are in the right place, but using this component violates end users privacy and reduces security.

Why? Only the first 5 chars of the sha1 hash will be sent to the server by troy hunt. The comparison is on client side. :)


I realize that, but it's still deceptive and infringing to privacy. Does the user know their data is being sent haveibeenpwned? Do they agree before the data is sent?

Nope, but I don't think that this is the job for this component. But I agree, that the user should know that their data despite that, that the password is very much anonymised send to the server of Have I been Pwned.

Code of Conduct Report abuse