How does Termius know a password / encryption passphrase was leaked? How does Termius know a password / encryption passphrase was leaked?

How does Termius know a password / encryption passphrase was leaked?

Eugene Oskin Eugene Oskin

Termius checks the password and encryption passphrase using the haveibeenpwned.com service (HIBP). The Termius app searches for the first 5 characters of SHA-1 of the user-provided password / encryption passphrase in HIBP API per the Cloudflare k-anonymity implementation.

Termius never sends the original (unencrypted) password / encryption passphrase or information enough to discover what it is.

Example:

  • The password is pa$word.
  • SHA-1 of the password will be 617ADCC02712A40E76254BA1F3A26AF660F98EC7.
  • The first 5 characters are SHA-1 of the password is 617AD, the rest is CC02712A40E76254BA1F3A26AF660F98EC7.

Here are the search results: https://api.pwnedpasswords.com/range/617AD.

...
CC02712A40E76254BA1F3A26AF660F98EC7:96
...

This data tells us the password has been leaked in 96 breaches.

Add comment

Please sign in to leave a comment.