Skip to content

I suggest you ...

← General

Have I Been Pwned API to get breached password list

The official page of “Have I Been pwned” (https://haveibeenpwned.com/Passwords) is showing anomaly behavior for checking breached password. For the same password being used, it returns different results. Sometimes it shows that the password has been breached and when I try it again with the same password, it shows the password has not been breached. I tried this with the password “Password1.”.

Also, its API (Searching by range, which I have used with my java project) does not signify that the password "P@ssw0rd123" was breached, but its website https://haveibeenpwned.com/Passwords shows that this password was breached.

Could you please make sure if this is as expected?

1 vote
Vote

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
You have left! (?) (thinking…)
Amit Maharjan shared this idea  ·   ·  Report…  ·  Admin →

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Amit Maharjan commented  ·   ·  Report

    Sorry for the trouble sir.

    When I looked into my raw HTTP request I found that the actual SHA-1 hash of the password “P@ssw0rd123” is “0F0D959BCA569BF2B0A8BFF3E2F1E88920EE7C5F” but my application generated it as “F0D959BCA569BF2B0A8BFF3E2F1E88920EE7C5F” excluding the preceding 0s. This caused the 1st five characters to be sent into the Have I Been Pwned API as “F0D95” instead of “0F0D9” which allowed me to set the compromised password P@ssw0rd123.

    I have fixed the issue and it is working fine now.

    Thanks,

General

Categories

Feedback and Knowledge Base

(thinking…)