How to explain the k-anonymity model used by HaveIBeenPwned for pwned passwords to a layman?


People are naturally skeptical when they hear about the HaveIBeenPwned pwned passwords search, because who would in their right mind enter their password into a random website? And sure, HIBP uses k-anonymity to make sure they don’t know your password, but if you’re not familiar with how hashing algorithms work and how the k-anonymity model works, that just sounds like a bunch of technobabble from Doctor Who that you probably can’t trust.

How can I best explain the k-anonymity model as used by HIBP to a layman?