Hi, great app ! @rdegges
I'm wondering, splitting the sha1 hash into the first 5 characters in the http request and anything after in the http response, all of that is visible on the network tab, so an attacker can potentially get the full sha1 hash, just by listening to the request and response, and then decode it back to its original password, is it not?

Perhaps the response should only be the last few characters? I don't know how many collisions that would make, and if it's feasible or not.

Hey @iswara108 , thanks.

You can read more about how this works here: https://haveibeenpwned.com/API/v2#PwnedPasswords This strategy avoids a scenario in which a hash is every transmitted over the network. The password is hashed in the browser, and ONLY the first 5 bytes of the HASH of the password are sent over the network.

The API then returns a huge list of hashes minus the 5-byte prefix that are potential matches. This way there is no way for someone to figure out the entire hash. Make sense?

One weakness here is that if someone has access to your browser and can read local memory or bind to elements like this extension does, then obviously they could grab the passwords in plaintext.

Thank you very much. @rdegges I like this app very much.