I suggest you ...

Return usernames/email addresses with Pwned Passwords api by using a k-Anonymity model

The chances for old email addresses to be listed in a breach is very high. After some decades of use the email address occurs in a breach with a hopefully old password and is used with new passwords currently.
Thus, it would be great if I could test if a specific username – password combination has been listed in a breach. As far as I understand the API this isn’t possible at the moment.
The relating email addresses could be returned after the number of breaches in the api.pwnedpasswords.com return value. This approach has the problem that foreign email addresses are send back to other people.
Therefore, a reverse k-Anonymity model approach could be applied and only the first 5 digits of the email addresses hash should be returned. The hash part could then be compared to hashes of known email address by the client. This would allow the client to identify username – password combinations with the api.pwnedpasswords.com without ever sending passwords and usernames.
Yours, Marcus

3 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Anonymous shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    0 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...

      Feedback and Knowledge Base