Have I Been Pwned API to get breached password list
The official page of “Have I Been pwned” (https://haveibeenpwned.com/Passwords) is showing anomaly behavior for checking breached password. For the same password being used, it returns different results. Sometimes it shows that the password has been breached and when I try it again with the same password, it shows the password has not been breached. I tried this with the password “Password1.”.
Also, its API (Searching by range, which I have used with my java project) does not signify that the password "P@ssw0rd123" was breached, but its website https://haveibeenpwned.com/Passwords shows that this password was breached.
Could you please make sure if this is as expected?
This is a bug report, not a feature request, and it’s a duplicate of what you’ve already emailed me and I’ve already responded to.
Amit Maharjan commented
Sorry for the trouble sir.
When I looked into my raw HTTP request I found that the actual SHA-1 hash of the password “P@ssw0rd123” is “0F0D959BCA569BF2B0A8BFF3E2F1E88920EE7C5F” but my application generated it as “F0D959BCA569BF2B0A8BFF3E2F1E88920EE7C5F” excluding the preceding 0s. This caused the 1st five characters to be sent into the Have I Been Pwned API as “F0D95” instead of “0F0D9” which allowed me to set the compromised password P@ssw0rd123.
I have fixed the issue and it is working fine now.