Everything stays in your browser. No password is transmitted. The calculation is entirely local. The only external request is an anonymous leak check (5 first hash SHA-1 characters, never password).

HIBP Verification — Understanding k-anonymity

Time2Crack uses API Have I Been Pwned (HIBP) to check if your password has been compromised in a data leak. To protect your privacy, we don't send Never your full password. Instead, we use a technique called k-anonymity Only the first 5 characters of the SHA-1 hash of the password are sent.

EXPLANATORY SECTION

What you can see

Your password remains always in your browserNothing is sent to the server.

Only hash SHA-1 of your password is calculated locally (in JavaScript).

Then only the First 5 characters of this hash are sent to HIBP.

What HIBP can't see

HIBP does not see not your full password.

HIBP does not see not the hash SHA-1 complete.

HiBP receives only 5 characters and returns All hashs corresponding to this prefix (k-anonymity).

What is k-anonymity?

k-anonymity is a technique of confidentiality that makes a record unacceptable among k records. In this case, when sending 5 characters of a SHA-1 hash, HIBP returns all hashs starting with these 5 characters (usually 400-500 results). Your real hash is hidden among all the others. Even HIBP doesn't know what hash is yours.

INTERACTIVE DEMONSTRATION

- Interactive demonstration

Enter a password below and see exactly what is sent to HiBP.

STEP 1: PASS MOT
1

Password (in your browser)

Your password always stay localNever sent.

STEP 2: COMPLETE SHA-1
2

Complete Hash SHA-1 (calculated locally)

The hash SHA-1 is calculated in your browser in JavaScript. HIBP never sees it in full.

STEP 3: 5 FIRST CHARACTERISTICS
3

Prefix SHA-1 (5 first characters)

Only these 5 characters are sent to HiBP via secure HTTPS.

STEP 4: HIBP RESPONSE
4

HiBP's response (all hashs)

HIBP returns All hashs Your true hash is hidden among them.

Results received from HIBP
Important

Even if the prefix "55D97" matches the password123, HIBP does not know not You only know which one is yours.

DETAILED FLUX

How Time2Crack uses HiBP

1

You type a password

Your password stays in your browser. Nothing is sent anywhere.

2

Time2Crack calculates SHA-1

In JavaScript, we calculate the SHA-1 hash of the password. This is local calculation, no transmission.

3

Send prefix to HIBP

Only the first 5 characters of the hash are sent to HIBP via an encrypted HTTPS request.

4

HIBP returns all results

HIBP returns all hashs (usually 400-500) starting with this prefix.

5

Local verification

Time2Crack compares your complete hash to all HiBP results in your browser. If found, the password is compromised.

FAQ

Frequently Asked Questions

RESOURCES

Resources

Have I Been Pwned (HIBP): haveibeenpwned.com — Compromised password database.

DIBP API Documentation: haveibeenpwned.com/API/v3 — Technical documentation of the k-anonymity API.

k-anonymity: Wikipedia — k-anonymity — Concept of data confidentiality.

Password security: OWASP Password Storage Cheat Sheet - Good storage practices.