Add credentials API (to check against strong hashes)
HIBP unlike other services like enzoic does not yet provide a way to find matches if the breach data contains medium to strong protected passwords.
To make that passwords searchable without cracking them the API needs to accept the username as input and returns a list of hashes together with meta information e.g. salt and hash algorithm. The client can then for all results use the provided hash algorithm for the password and compare it with the hash from the API result.
1. you may want to add a second hash algorithm on top to avoid storing passwords with week hash algorithm in you database
2. you may search the username by k-anonymity model to protect privacy of users (nobody will see from API usage who registered on which site)
I know its a lot of work some more searchable passwords, so I am ok with paying for such a service.
The protection level of the password is not an area I want to get into as it leads to (often incorrect) assumptions about whether a breached password is suitable for use. There’s also no need to increase the strength of the hashing algorithm as it’s only designed to obfuscate the PII that appears in some records.
My apologies, I sent you a direct message rather than commenting on the thread. I've received your response, if you'd like to add it to the public thread here I'll reply in kind.
"The use case is a user registration form that checks if the password the users picks is already breached."
That's what Pwned Passwords already does. Enzoic checks credential *pairs* which is not something I want to do. It creates huge risk and is unnecessary as far as determining whether the password has been exposed and should no longer be used.
keywan Ghadami commented
I think you got me totally wrong.
The use case is a user registration form that checks if the password the users picks is already breached.
the password API can not be used to find all passwords because for good reasons you decided to not crack passwords from e.g. salted hashes. But with that kind of credentials API it is possible.