How does Nodecraft protect my password when checking if it has been pwned?
Nodecraft implements the industry standard and tested Have I Been Pwned: Pwned Passwords API. This API houses over 550 million real-world passwords that have previously been exposed in data breaches from companies of all sizes. This exposure makes them unsuitable for use as your Nodecraft account password.
Nodecraft never stores or sends your password in plaintext to any third-party service. Read more about our password policy here. We implement the Pwned Password API with its k-Anonymity design to securely detect if your password has been previously exposed in a third-party data breach. What this means is that the following steps happen when you login to your Nodecraft account:
We validate the username/email exists in our platform
We securely compare a hashed version of your input with your stored password hash
And we then check that the password used to login hasn't been compromised in any third-party data-breach
That last step can be broken down even further, as follows. This is slightly simplified for ease of understanding, but illustrates how this works.
We take your input password and generate a SHA1 hash from it. A hash algorithm (in this case SHA1), takes arbitrary input data (in this case, your password) and turns it into a fixed data representation, the hash value. A cryptographic hash function is collision-resistent, meaning that for each and every input, it creates a unique but consistent output. The algorithm used for the hash in known as a one-way transformation, which means it's easy to generate, but extremely difficult to know what the actual input value was. For example, if we used the password
password, the SHA1 output would be
We then send the first 5 characters of this SHA1 hash to the Pwned Password API (in this case,
D03AE), and the Pwned Password API responds with a list of hashes (previous passwords) matching the input that have been compromised, and how many times that hash has been breached. This way, the site can't know exactly which hash we're looking for. The k-Anonymity process ensures there is so much "noise" in the process here that it becomes very difficult to determine exactly which hash we were looking for.
We then search the data returned on our end, looking for for the original SHA1 hash we generated of your password. If the hash is on the list, it's been compromised. If it hasn't then the password isn't in a publicly known data breach. The API also tells us how many times this particular hash has been breached, and in the case of
password, it has been compromised over 3.7 million times before.
This means that your full password is never sent offsite - only an anonymised partial hash of your password, to check if it has been present in any previous third-party breach.