We'll now tell you if your email has been breached or hacked (on other providers)

8 months ago
Speedy little update here.

Bento will now now tell you when you login, or even sign-up (yes, we'll slow down sales if it means keeping you secure), if your email has been compromised in a hack.

How are we doing it?

All user passwords are hashed using SHA-1 and then truncated to 5 characters, implementing the k-Anonymity model described in https://haveibeenpwned.com/API/v2#SearchingPwnedPasswordsByRange and then checked against the HaveIBeenPwned.com API — the world's largest source of breaches.

Neither the clear-text password nor the full password hash is ever transmitted to the service.

More implementation details and important caveats can be found in https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/

Why are we doing it?

We hope this leads to a more secure Bento, less freakouts and helps educate our users on the importance of web security. It's just too important to us.