We have the full password cached locally on the AD server as an encrypted hash. We are only sending the first 10 characters of the hash to the cloud. It is then compared to any potential matches. If matches are found, they are then sent back to do a full comparison locally on the machine.