loading...

re: React component for checking pwned passwords VIEW POST

TOP OF THREAD FULL DISCUSSION
re: Your intentions are in the right place, but using this component violates end users privacy and reduces security.
 

Why? Only the first 5 chars of the sha1 hash will be sent to the server by troy hunt. The comparison is on client side. :)

 

I realize that, but it's still deceptive and infringing to privacy. Does the user know their data is being sent haveibeenpwned? Do they agree before the data is sent?

Nope, but I don't think that this is the job for this component. But I agree, that the user should know that their data despite that, that the password is very much anonymised send to the server of Have I been Pwned.

Code of Conduct Report abuse