Comment by lolinder
6 days ago
> A great analogy would be a website that asks users to provide their usernames and passwords for sites to see if it’s a strong password or if it’s been compromised. “Sorry, the credentials stouset / hunter2 were found in our database for Hacker News.”
This is actually a really good analogy because it does illustrate that it's not a completely crazy ask—people do trust Troy Hunt to run such a site. But OP should be much more understanding of how dangerous the concept is and offer options to resolve concerns (Troy allows downloading the passwords list to check locally), especially while they're not Troy Hunt-level famous and still are trying to build up trust.
Troy's site isn't actually handling the user's real password to check, its doing a lookup of hashes to see if a similar hash is there. The password and final hash checks never leave the client side. Still a lot of trust involved in a site like that, and yeah he encourages you use the API to do the comparisons yourself.
This is actually uploading all the information to the backend and storing it in a database. Like a page that is asking for a service URL, a username, a password, a TOTP secret, sending it all to the server, and having the server check if the credentials have been pwned and saving it all.