When I built my Password Strength Analyzer, I wanted to check if a user's password had ever appeared in a known data breach. The obvious approach — sending the password to an API — is a security nightmare. That's where k-anonymity comes in.
WHAT IS K-ANONYMITY?
k-Anonymity is a privacy model that ensures your query is indistinguishable from at least k-1 other queries. In the context of password breach checking, it means the server never sees your full password hash — only a small prefix of it.
HOW HIBP USES IT
The Have I Been Pwned (HIBP) Pwned Passwords API implements k-anonymity using SHA-1 hash range lookups:
1. Hash the password using SHA-1 2. Take only the first 5 characters of the hash 3. Send that 5-char prefix to the API 4. API returns all hashes that start with that prefix 5. Check locally if your full hash is in the list
Your full hash never leaves your machine. The server only knows you're checking something that starts with those 5 characters — along with thousands of other users doing the same.
THE CODE
Here's how I implemented it in Java:
String sha1 = sha1Hash(password); String prefix = sha1.substring(0, 5); String suffix = sha1.substring(5); String response = callHIBPApi(prefix); boolean breached = response.contains(suffix.toUpperCase());
WHY THIS MATTERS
This technique lets you build security tools that are genuinely privacy-respecting. Users don't have to trust you with their passwords — the math does the work. It's a clean example of cryptographic privacy in practice.
You can find the full implementation in my password-analyzer repo on GitHub.
