That is the correct way of thinking, never trust anything with your passwords.
I was curious on what haveibeenpwned does, so I took a look at what the network tab in dev tools said what was actually sent. When I type a password (say password123) and press check it runs a function that hashes with the “SHA-1” hash function and then sends the first 5 characters of the result. The response is over a thousand lines in the format of
35 hash characters:number of breaches
If any of these hashes are the start of your original hash, you now know it’s exposed and how many times it’s been exposed.
That is the correct way of thinking, never trust anything with your passwords.
I was curious on what haveibeenpwned does, so I took a look at what the network tab in dev tools said what was actually sent. When I type a password (say password123) and press check it runs a function that hashes with the “SHA-1” hash function and then sends the first 5 characters of the result. The response is over a thousand lines in the format of
35 hash characters:number of breachesIf any of these hashes are the start of your original hash, you now know it’s exposed and how many times it’s been exposed.