Web says "Password breached", how does it know, technically?
Posted: Fri Feb 25, 2022 4:58 pm
Hi,
the other day I logged into my account on factorio.com just to find out a big fat yellow warning at the top of the page saying:
Password breached
Your password has previously appeared in a data breach unrelated to factorio.com. Please change it as soon as possible on your profile page. For more information visit https://haveibeenpwned.com/Passwords
I was wondering, how can the web know that? Does that mean that it stores my password in plaintext, or in a reversible form, so that it could check through HIBP's API? If the web stored the password with the best current practices in mind, salted and hashed, it could not check with HIBP's API simply because it wouldn't know my actual password. So what's going on here?
Sorry if this is the wrong place to ask, can't find anywhere that would seem more appropriate.
the other day I logged into my account on factorio.com just to find out a big fat yellow warning at the top of the page saying:
Password breached
Your password has previously appeared in a data breach unrelated to factorio.com. Please change it as soon as possible on your profile page. For more information visit https://haveibeenpwned.com/Passwords
I was wondering, how can the web know that? Does that mean that it stores my password in plaintext, or in a reversible form, so that it could check through HIBP's API? If the web stored the password with the best current practices in mind, salted and hashed, it could not check with HIBP's API simply because it wouldn't know my actual password. So what's going on here?
Sorry if this is the wrong place to ask, can't find anywhere that would seem more appropriate.