Real world example why you should not ask #haveibeenpwned during password entry if password is compromised.

gistfile1.txt

After a debate on Twitter how secure or insecure it is to ask #haveibeenpwned with their
k-anonymity check if passwords are compromised (while you are entering the password) I 
have hacked together a small python script that without optimization tries to answer this
question.

We are testing a 20 character password: bananenBrot4321Alarm

Assumption is that the website uses the k-anonymity check that leaks 5 SHA1 characters to
#haveibeenpwned with every attempt. Assumption is that first query happens after X characters
have been entered as password. And then every Y characters another check is executed.

Meaning of output:

candiate: XXXXXX   <——— this outputs every one candidate for every 100k passwords that were tried
                        plus every new candidate from the candidate list of the previous call

[x, y, y, y, …] <—— first prefix is x characters, then every y characters a new check was made


Cracking a 20-char password from repeated #haveibeenpwned k-anonymity hashes [4, 2, 2, 2, 2, 2, 2, 2, 2]

https://gist.github.com/stefanesser/3b8911f6e9798daf8e0fcd469b7ceea8

Cracking a 20-char password from repeated #haveibeenpwned k-anonymity hashes [5, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1]

https://gist.github.com/stefanesser/eef8c046c82a6f1fd47aaaf25e87f698

Cracking a 20-char password from repeated #haveibeenpwned k-anonymity hashes (5,2,2,2,2,2,2,2,1)

https://gist.github.com/stefanesser/f643f87dc88bbdc7b22594b7d7f67bd2