![How does Termius know a password / encryption passphrase was leaked?]({"bg": "//theme.zdassets.com/theme_assets/10837892/b9e5e013ea0aaacfe65e3fcc012ca6cf57446dfa.png"})
![How does Termius know a password / encryption passphrase was leaked?]({"bg": "//theme.zdassets.com/theme_assets/10837892/94962dc50573b47245821f53b41783e776499ebb.png"})
Termius checks the password and encryption passphrase using the haveibeenpwned.com service (HIBP). The Termius app searches for the first 5 characters of SHA-1 of the user-provided password / encryption passphrase in HIBP API per the Cloudflare k-anonymity implementation.
Termius never sends the original (unencrypted) password / encryption passphrase or information enough to discover what it is.
Example:
- The password is pa$word.
- SHA-1 of the password will be
617ADCC02712A40E76254BA1F3A26AF660F98EC7. - The first 5 characters are SHA-1 of the password is
617AD, the rest isCC02712A40E76254BA1F3A26AF660F98EC7.
Here are the search results: https://api.pwnedpasswords.com/range/617AD.
...
CC02712A40E76254BA1F3A26AF660F98EC7:96
...
This data tells us the password has been leaked in 96 breaches.
12
8
Was this article helpful?
10 out of 12 found this helpful
Articles in this section
- How to add ssh command with port forwarding (with -L, -R, -D) in Termius
- What's the "We've sent you an email to approve the login for your IP address" error?
- How do I cancel the trial period?
- How to adjust text size?
- Can the mobile ('strip') keyboard be customized?
- How does Termius know a password / encryption passphrase was leaked?
- How do I set the default SFTP path?
- How to copy/paste in the desktop app?
- How to disable TestFlight notifications?
- How do I search in the terminal?
Add comment
Please sign in to leave a comment.