Troy Hunt did a great write up on the subject. You can check it our here.
In short, there are millions of bad or compromised passwords added to the Breech List. To safely ensure your user’s password is on that list:
- Create a SHA1 version of the password on the client/browser/JS
- Take the first 5 chars of that SHA1
- Check those characters against the Breeched DB
`https://api.pwnedpasswords.com/range/[SHA1 5 char range]` - That API return hundreds of close SHA1 matches
- Then check last list against the remaining 5+ characters
- If it exists, it is probably a bad password
- Tip: You can use the hit count to determine just how bad it is
Here is a Javascript (ES6) implementation using `sha1` and `axios`:
https://gist.github.com/sshadmand/548d6787050897697e2e99029a1683bb.js
Sean Shadmand 