How bad would a partial hash leak be, realistically?
Actually, it's as bad as a full hash leak.
Hash-cracking is done by:
- Generating password candidates
- Hashing them
- Comparing the resulting hashes to the hash you want to crack
None of those steps will be slower in case of a partial hash leak, so this is very similar to a full hash leak speed-wise.
Please note that if the partial hash output is not long enough, a lot of password candidates will match. In that scenario, you can't know which candidate was the real password.
It depends on how good the password is, and the size of the hash prefix.
Large prefix / bad password
If we assume this is a hash of an average Joe's password which contains say 30 bits of entropy ("mySuperSecretPassword123" almost certainly contains less entropy than this), and to be conservative we follow Kerckhoffs's principle and assume the attacker knows how the password was generated, then there are only 230 possible passwords. If the prefix leaked is 80 bits from a SHA-1 hash, then it is extremely likely that there will be only one password candidate that matches the hash prefix.
Basically, if log2(password space) is smaller than the leaked prefix, you might as well consider the entire hash to have leaked.
Small prefix / good password
What if the prefix is small or the password is good(ish)? Say for example you have a password space of 250, and you've leaked a 40 bit prefix. An attacker can't just crack the password, since there will be around 210 passwords that match the hash, but this is still a problem. 250 is much too large to launch an online attack, even without rate limiting. But if an attacker can pre-filter their guesses to those that match the prefix in an offline attack, they would only need to try 210 in the online attack, which may be feasible.
If log2(password space) - prefix size > 0 then the attacker likely won't be able to crack the exact password, but if it's small enough, they can generate a pool of password candidates for use in an online attack.
Very good password
Of course, if you randomly choose from a password space larger than 2100 (to be conservative) with uniform probability, then leaking a partial or full hash is irrelevant, as it's never going to be cracked anyway.
If you only have half a 160 bit hash, then that means you have 80 unknown bits. This results in $2^80 = 1.2089258196146292e+24$ possible hashes left.
That means that your password can be hashed to one of those, and that does exponentially reduce the number of possible passwords (2^80 times less), but an attacker CANNOT find your password only based on this, if we assume your password is totally random.
Obviously, that is rarely the case, so if someone was to use a modern dictionary attack that generates the password, they’d probably end up with a relatively small list of probable password. That small list of password could then be tested against the real authentication service to get the precise password.
TLDR:
- if password is random: Should be ok
- if password can be generated with a modern dictionary attack (e.g.:smolbanana73): Would recommend changing it.
Note: Have I Been Pwned does ask you for the first few bits of your password to check if it’s in their lists, but it’s small enough that is insignificant.