Data Breach Sources

how does the “This password is part of an exposed data breach” functionality work?
I read about an API Call from the client extension to, however, when i check the flagged password against the website, it comes back clean.

Are there other sources?


Hi @abcyb Welcome to the forum!

Which browser are you using? Browsers also have these warnings - possibly it is from the browser and not the extension?

It’s a little hard to find in the code because it’s named powned but here is a link to the trusted function which calls the api passbolt_browser_extension/pownedService.js at 22a0bb9992303676a17d4c3c6bb1929d27d76ce1 · passbolt/passbolt_browser_extension · GitHub

A simple call is being made with the string of the password which was entered.


Indeed as mentionned by @garrett we are using the API, is it the same you are using to check on your side when it comes back clean?

Thanks in advance.

I am using Chrome, but i am not using the integrated Google Password Manager (which has this functionality afaik). I deactivated all extensions in chrome except passbolt and can still see the warning.

I checked with Have I Been Pwned: Pwned Passwords
The password that is flagged in passbolt comes back clean on the website.

@abcyb is the password length short? Passbolt may assume it’s part of a breach if it’s short, even though it is not listed as breached by pwnedpasswords.

1 Like

Here’s what it looks like on a fresh Chrome install if it’s coming from Chrome:

It looks like this could be the case, i just tested with some random passwords. We usually do 25+ Characters so i never enocuntered this issue before :slight_smile:

ghdlakd → “Data Breach” Very weak (entropy: 32.9 bits)
ghdlakd1 → “safe” Very weak (entropy: 41.4 bits)
same for whatever randomize character i use instead of the “1”.
So, everything above 8 characters seems to be “okay”, everything below is a “data breach”.

I really appreaciate this feature, but it should just say “your password is sh$t” instead of telling me that it is part of a data breach, cause that is a bit of another level of “sh$t” :slight_smile:

Well, our customer has to change their passwords anyway, so not much loss. But it does lead to false assumptions.

1 Like

This is good feedback thank you @abcyb

1 Like

If I remember correctly it was designed like this to avoid hammering the pwnd API. We could change the message, like “your password is part of dictionary” instead.


Though that may not be the case.

Maybe: “too short for testing against data breaches”