Bad Passwd Privacy Policy

Privacy policy for Android app Bad Passwd.

Who are you?

The developer of Bad Passwd is John Cook, a privacy-conscious and security-conscious private individual (legal person). Bad Passwd was developed with privacy and security in mind, which is why it isn’t covered by the GDPR.

What information do you collect?

Bad Passwd, at the user's request, collects passwords.

How do you use the information?

Bad Passwd takes an entered password, passes it through a one-way hash (SHA-1), and takes the first 5 characters of the resultant hash to download a list of SHA-1 hashes that have appeared in data breaches from Have I Been Pwned? This process is called the Cloudflare k-anonymity implementation.

The list of SHA-1 hashes is then checked to see if the full SHA-1 hash of the entered password appears on it (and if so, the number of times it has appeared in data breaches), and informs the user of the result.

At no time does the entered password leave the app, and the developer of Bad Passwd receives no data from users of the app. Bad Passwd is a user interface for a third-party Web API, so is essentially the same as using the Pwned Passwords feature on the Have I Been Pwned? Web site.

As of , the Privacy Policy of Have I Been Pwned? says the following of the Pwned Passwords feature of their Web site:

The Pwned Passwords feature searches previous data breaches for the presence of a user-provided password. The password is hashed client-side with the SHA-1 algorithm then only the first 5 characters of the hash are sent to HIBP per the Cloudflare k-anonymity implementation. HIBP never receives the original password nor enough information to discover what the original password was. Have I Been Pwned? When you search Pwned Passwords. In How Have I Been Pwned (HIBP) handles privacy

What information do you share?

Users of Bad Passwd use the Have I Been Pwned? Pwned Passwords API directly, as detailed on the app download page. Therefore the information Bad Passwd shares is that which would be collected by Have I Been Pwned? if visited in a Web browser by the user.

As of , the Privacy Policy of Have I Been Pwned? says the following on Logging:

Only the bare minimum logs required to keep the service operational and combat malicious activity are stored. This includes transient web server logs, logging of unhandled exceptions using Raygun, Google Analytics to assess usage patterns and Application Insights for performance metrics. These logs may include information entered into a form by the user, browser headers such as the user agent string and in some cases, the user's IP address. Have I Been Pwned? Logging. In How Have I Been Pwned (HIBP) handles privacy