9 comments

[ 2.8 ms ] story [ 36.3 ms ] thread
Marco Arment just updated the excellent Overcast podcast app to be anonymous by default.

https://marco.org/2018/04/27/overcast42

The only reason he still supports usernames is because you need it to log into the website to listen to podcasts.

What is more remarkable about his stance, is that he's also on three or four podcasts himself - including I believe the second most popular Apple related podcast.
What is k-anonymity?
Rather than providing the service a password hash for it to look up in its database, you download k password hashes that have the same prefix and do the matching locally. That way, the user’s real password hash is never sent over.
You download however many passwords match the prefix (N). If the process has k-anonymity then it's guaranteed that N >= k for any possible prefix.
And in this case, k = 381. (Though more by coincidence than design.) https://www.troyhunt.com/ive-just-launched-pwned-passwords-v...
It's much larger than that, really -- if you know that the user is definitely looking for a hash that's present, there are 381 they could have been looking for. But here we're just as interested in elements that are outside the set, and there are a lot more of them.
I was initially extremely skeptical of sites using Pwned Passwords' API until I learned how this worked/realized this.

I was super skeptical of "send Troy your whole SHA1 hash", because many many SHA1 hashes have been reversed. Then when I was looking at V2, I was considering the fact that in a given set of 381 passwords, there were probably only a couple you might be meaning to check (if you look at a range set, each one generally has a couple of repeatedly used password hashes).

But if my passwords fall outside of that set, someone might think I am maybe checking against one of the more commonly leaked passwords, when mine isn't even in that range set at all.

Partially for my own comfort, and for fun, I ended up writing my own short checker in a .NET console app: https://github.com/ocdtrekkie/PwnPsswords