How does Termius detect a leaked Encryption Password?

When you set a new Encryption Password for your account, Termius can check whether it appeared in known data breaches by using the haveibeenpwned.com service, or HIBP.

Termius never sends the original password in plain text or enough information to reveal it.

The Termius app sends the first 5 characters of the SHA-1 hash of the user-provided password to the HIBP API, following Cloudflare's k-anonymity model.

For example, take the password pa$word:

The SHA-1 hash of the password is 617ADCC02712A40E76254BA1F3A26AF660F98EC7.
The first 5 characters of that hash are 617AD.
The remaining characters are CC02712A40E76254BA1F3A26AF660F98EC7.
HIBP returns the possible matches for that prefix at https://api.pwnedpasswords.com/range/617AD.
Then Termius checks whether the remainder listed above appears in the response.

...
CC02712A40E76254BA1F3A26AF660F98EC7:96
...

This means the password appeared in 96 known breaches.

PreviousWhat will happen when my Pro subscription expires?NextResellers FAQ

Last updated 25 days ago

Was this helpful?