This concept became popular when it started to being used to verify if passwords were being part of breach
databases without disclosing the actual password (either in cleartext or in hashed form).
To check passwords against leak databases, a very simple implementation is required, described in a few
1. First, create a hash of the investigated password with the same algorithm used in the breached passwords
database, this is usually SHA1 or similar.
2. Take the first few characters of this hash, and request all matching hashes that belong to breached or
compromised passwords. Due to the nature of hashing algorithms, this will usually reduce the number of
matches from billions of records down to a few dozens or hundreds.
3. After the list of matches is retrieved, compare them in full against the local hash to identify if there
a match, concluding that the password was already breached before.