Validating Leaked Passwords with k-Anonymity

On February 21, 2018, v2 of Pwned Passwords was released as part of the Have I Been Pwned service by Troy Hunt. This database contains over half a billion real-world leaked passwords and serves as an essential tool in combating modern threats against password security. To protect user information when using this tool, Cloudflare provides CDN and security functionality such that the data can easily be made available for download in raw form to organizations to protect their customers. Additionally, API endpoints have been designed and implemented to support anonymized range queries as an additional layer of security for those consuming the API. This contribution allows Pwned Passwords clients to use range queries to search for breached passwords without having to disclose a complete unsalted password hash to the service.