Is super paranoid use of HaveIBeenPawned password API going to help?

Question

They way I understand HaveIBeenPawned password API is that it's a safe system because the site "can't do much with my partial hash even if they wanted to". But is that really true? Is the following scenario feasible?

1. My password is thisisnotsecureanymore

2. It's SHA1 is 37cbd1e930b737e4bcbd149c2fcaccbe066ce9c4

3. I submit https://api.pwnedpasswords.com/range/37cbd (no match)

4. HaveIBeenPawned turns to the dark side and starts recording my IP + request.
5. I submit https://api.pwnedpasswords.com/range/37cbd (no match)
6. I submit https://api.pwnedpasswords.com/range/37cbd (no match)
7. I submit https://api.pwnedpasswords.com/range/37cbd (no match)
8. Over time HaveIBeenPawned gets more lists and there are 100 new 37cbd entries in it. Mine isn't in there yet. Periodically they keep trying to brute force with all ~500 entries against login portal at the IP I'm running the API from (although they could probably just check the 100 new ones because if there was a match, I would soon change my password and stop hitting their API. The fact I keep checking is also a singnal for them)
9. I submit https://api.pwnedpasswords.com/range/37cbd (no match)
10. I submit https://api.pwnedpasswords.com/range/37cbd (no match)
11. I submit https://api.pwnedpasswords.com/range/37cbd (no match)
12. HaveIBeenPawned gets 101st entry 37cbd1e930b737e4bcbd149c2fcaccbe066ce9c4 hash and doesn't tell me about it.
13. HaveIBeenPawned goes to my IP address and logs in with the clear text password.

The key to the vulnerability is that I keep coming to check the same hash (revealing that it has some value to me), but because HaveIBeenPawned sits on knowledge that I don't have (news about my recently leaked password), they can use that against me. It's a long game requiring patience, but I think it would be effective way to reduce search space.

I have two ideas how to thwart this vulnerability:

• Use Tor to randomize my IP somewhat
• Send 100 fake request for each real one. The signal is still in the noise it's just little bit more burried now .. is it burried enough?
• Is there a better way?

If your answer, is "HaveIBeenPawned would never do that, If you don't trust HaveIBeenPawned, then just don't use them" I already know that. My question is "Can I use HaveIBeenPawned more safely even though I don't fully trust them"

Answer 1

To answer your specific question - "is super paranoid use of Have I Been Pawned password API going to help?" - yes, it is. Question is by how much and whether it's worth the effort to reduce the risk. But you make a lot of assumptions that are worth addressing:

1. You assume that you're using a weak password. Almost without exception, every password in Pwned Passwords is weak. One of the primary reasons is that they're often sourced from cracked hashes and strong passwords (generated by a password manager or a pass phrase)
2. You assume you're reusing passwords. If you're creating a unique one on your login portal then it's never going to appear in Pwned Passwords.
3. You assume you're publicly exposing a login portal to the world from your home IP address. There's a whole bunch of reasons why you really don't want to do this.

Thing is, if you're doing point 1 and point 2 (which you most definitely should be), there's no real value in Pwned Passwords anyway. So do that - create strong, unique passwords - and don't hit HIBP at all! And if you really, really want to check password exposure without sharing even a hash prefix, download the data for free and check it locally: https://haveibeenpwned.com/Passwords

BTW - When you say "they", it's actually just me