---
title: Check for compromised passwords
summary: null
url: https://www.fastly.com/documentation/solutions/demos/hibp-kv-store
---

## What's happening here?

A Fastly Compute service inspects passwords submitted either at login or signup, before they are sent to the origin backend. It verifies whether a password is compromised (leaked in previous known data breaches) using the [HaveIBeenPwned](https://haveibeenpwned.com/Passwords) passwords dataset. 

While such checks can be done by using the HIBP [APIs](https://haveibeenpwned.com/API/v3#PwnedPasswords), this implementation uses pre-generated filters for the spilled password hashes, persisted on Fastly [KV Stores](https://docs.fastly.com/en/guides/working-with-kv-stores) for fast lookups. Once a password is flagged as compromised, the service adds a header to the request to indicate this. The backend can then choose to reject the password (sign up use case), redirect the user to a password reset page (login use case), send a signal to a credential stuffing detector, or take other actions.

## Pre-generated filters

[BinaryFuse8](https://pkg.go.dev/github.com/FastFilter/xorfilter@v0.1.4) filters are used, with 9 bit fingerprints per entry. While filters are probablistic data structures, given the fingerprint size and load factors, the estimated false positive rate is only about 0.3%. The use of filters also compresses the dataset from about 38GB to 1GB. 

To further reduce resource consumption, password hashes are grouped using a 3-character prefix, with a separate filter for each prefix stored in a [KV Store](https://www.fastly.com/documentation/learning/concepts/edge-state/data-stores/#kv-stores). Only the filters for the prefixes that are relevant to the password being checked are loaded — typically about 250KB.

The source code for this demo is available on [GitHub](https://github.com/fastly/compute-hibp-filter).