Is the password list really bigger than 659MB? Seems like a gzip on a sorted list would be smaller.
I implemented @troyhunt's HIBP password list as a pure Python3 Bloom filter, in 629MB (false positive rate = 0.0005)https://gist.github.com/marcan/23e1ec416bf884dcd7f0e635ce5f2724 …
-
-
-
Over 5GB and distributed with hashed passwords so doesn't compresss well
- Show replies
New conversation -
-
-
And this is how I will be using it in production, on the
@euskalencounter reservations website. Comments welcome :)pic.twitter.com/al2DpM2z5P
-
I'd reword 'should never be used', sounds a bit... preachy/controlling. Perhaps 'is not safe to use'?
End of conversation
New conversation -
-
-
bloom.py test -s pwned-passwords-1.0u1.bloom marcan Found ;) Great idea and implementation, thanks for sharing.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
There's a l10n issue here, unfortunately. If I'm going to provide a longer explanation I need it in 3 languages and I don't even speak one.
-
Which languages do you need? I guess Twitter speaks them fluently...
- Show replies
New conversation -
-
-
Nobody does that and that serves zero purpose. If you hash passwords client side the hash becomes the password. I do use HTTPS.
-
Also, client-side hashing makes it impossible to enforce password rules (the few that I have anyway: 6 chars min and printable ASCII only).
- Show replies
New conversation -
-
-
PBKDF2. Each of bcrypt/scrypt/pbkdf2 has its pros and cons, and all three are adequate for password storage in practice (w/ good params).
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.