Show HN: Building a future where security checks leave no permanent trails

1•csp_dev•1h ago

Every time someone checks if a password has been breached, a permanent record is created: this person checked this password at this time.

(All code is open-source, MIT licensed)

I've been exploring whether we can design a different future—one where security doesn't require this privacy trade-off. The Credential Shield Protocol (CSP) is a step in that direction: it allows checking password breaches without the checking service learning whether your password was actually found.

The key insight: send only a fragment (prefix) of the password hash. The server returns possible matches from breach databases, but the actual verification happens on your device. The server is intentionally kept "blind."

What's available today: • RFC-style draft with formal analysis • Complete reference implementation (Node.js) • Test vectors and collision probability analysis

This is early-stage protocol research, not a product. I'm looking for: - Cryptographic review of the approach - Feedback on the threat model - Implementation critique - Discussion on whether this future is worth building toward

GitHub: https://github.com/IAmAxolotl-04/password-smoke-detector RFC Draft: https://github.com/IAmAxolotl-04/password-smoke-detector/tre...

Comments

chrisjj•1h ago

Surely this is just a data compression exercise - proved by the fact that where the database is small enough to be downloaded and stored locally, the vulnerability need not exist.

pkolbus•32m ago

The concept of sending a hash prefix is exactly what haveibeenpwned.com uses for its Pwned Passwords API, and has used for years. Although that uses SHA-1, no other details of the credential are sent. https://haveibeenpwned.com/API/v3#PwnedPasswords. The shorter prefix length increases the size of the response and makes it harder for the server to infer which of the hashes is of interest to the client; it also facilitates caching.

There is also Password Set Intersection with Blinding, which takes advantage of homomorphic encryption: https://openmined.org/blog/private-set-intersection/

Neither of these leave the record that a particular password was checked at a particular time.

I’d also argue that anything requiring a server query leaves some record and is not “100% local”, although some server interaction is pragmatic given the billions of breach records. What is important is to not leave additional record of a user/password association.

An archery game that uses charging cable as the controller

Ant smuggling case highlights legal inconsistencies

Exploring Crystal macros: Building file-based routing for Kemal

Ask HN: How locked down are your work machines?

KTree – Kubernetes Browser

Using the BusyBox trick to turn AI prompts into "native" executables

A 23-year-old's $1.5B AI hedge fund shows how prophecy turns profits

Quadratic Bezier – Distance 2D

funding.json

Diplomacy by WhatsApp

Tesla cuts 1,700 jobs at Gigafactory Berlin despite denying it

What AI Accountability Looks Like (I Built It)

Gayvn

Show HN: CausaNova – Deterministic runtime for LLM constraints via Ontology

Howard Lutnick: Why the Trump administration is going to Davos

Drug Laws Have Prevented Scientists from Studying Mushrooms

Bitwarden launches enhanced premium plan

Devin Review: AI to Stop Slop

Microsoft CEO warns AI must 'do something useful' or lose 'social permission'

DOGE Employees Shared Social Security Data, Court Filing Shows

Verizon carriers start switching to 365day device unlock policy, up from 60 days

More diversity means better science, says Nature journal chief

How the NHS became the battleground in the trans debate facing workplaces

Power, Consumption and Gender: An analysis of Barbara Kruger's political art

Every big lab is putting resources in building world models

Show HN: Remember Me – O(1) Client-Side Memory (40x cheaper than Vector DBs)

Manipulating blood CO₂ levels may help clear toxic proteins from the brain

480k-Year-Old Elephant Bone Tool Is the Oldest Ever Found Outside Africa

How are you automating your coding work?

Tracking Kernel Development with Korgalore