I implemented @troyhunt's HIBP password list as a pure Python3 Bloom filter, in 629MB (false positive rate = 0.0005)https://gist.github.com/marcan/23e1ec416bf884dcd7f0e635ce5f2724 …
And this is how I will be using it in production, on the @euskalencounter reservations website. Comments welcome :)pic.twitter.com/al2DpM2z5P
-
-
I'd reword 'should never be used', sounds a bit... preachy/controlling. Perhaps 'is not safe to use'?
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Great idea btw.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Thats pretty damn cool to be fair...
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Thanks
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Where is the cleartext password hashed to sha1? Client side?
-
Server side. There would be little to no benefit to doing it client side. Obviously SHA1 isn't used for storage, just the list.
End of conversation
New conversation -
-
-
I would advice against using such a massive block list, top 1K-10K is enough, & implement other serverside features instead. Better UX.
-
Top 1K-10K is way too easy to brute force. I could implement attempt throttling, but that's a massive can of worms and hard to get right.
- Show replies
New conversation -
-
-
And here is the evidence for
@thorsheim comment and how to do it right. https://www.internetsociety.org/sites/default/files/usec2017_01_3_Habib_paper.pdf …Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
wow your poor users :) Is this a show stopper for them or a gentle warning?
@troyhunt -
I don't think "please pick another password" is a major showstopper :P
- Show replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.