Skip to main content

Overview

PassAgent integrates with Have I Been Pwned (HIBP) to check whether your email addresses or passwords have appeared in known data breaches. Password checks use the k-anonymity protocol — your full password hash is never transmitted.

Email breach check

Check whether an email address appears in known data breaches. 
GET /api/hibp/breachedaccount?email={email}
Authentication: Required Response: array of breach objects from HIBP, or empty array if clean. Caching: Results cached for 15 minutes.

Password breach check (k-anonymity)

Check whether a password has appeared in known data breaches without exposing the password.
1

Hash locally

The password is hashed with SHA-1 on the client side.
2

Send prefix

Only the first 5 characters of the hash are sent to the HIBP API.
3

Compare locally

HIBP returns all hash suffixes matching the prefix. The client checks for the full hash in the response.
4

Report result

If found, the breach count is returned. Your full hash is never transmitted.
GET /api/hibp/pwnedpassword?password={password}
Authentication: Required Caching: Results cached for 24 hours. Response: 
{
  "count": 0
}
A count of 0 means the password has not been found in any known breaches.
The k-anonymity protocol ensures that neither PassAgent nor HIBP can determine which password you are checking. Only a 5-character hash prefix is sent — the same prefix matches thousands of different passwords.

Security center integration

Breach monitoring results feed into the Security Center:
  • Breached passwords are flagged with a warning badge
  • Breached emails trigger notifications
  • Recommendations to change breached passwords are generated
  • Password health scores are penalized for breach exposure

Privacy

  • Passwords are never sent to HIBP in plaintext
  • Email checks use your email address (visible to HIBP)
  • All checks require authentication — no anonymous scanning
  • Results are tracked as breach_check audit events