
Ask HN: Is a 10Gb Docker image with the haveibeenpwned db on it a bad idea? - fuhrysteve
We have a site with sensitive data on it, and need to verify that when users create a new password that the password has not been previously exposed in a known breach. The way everyone seems to be doing this is by downloading and searching the 10gb haveibeenpwned database for sha1 matches of the candidate password.<p>We know that it&#x27;s best practice to keep docker images small, however this seems like a tempting solution for an annoying problem: simply make a 10Gb Docker image that downloads the haveibeenpwned database (which is ~10Gb) as part of the image, and expose a searchable API. Sure it would be slow to deploy an image that large on Kubernetes, but it seems like it&#x27;d otherwise be easy to maintain.<p>How are you checking passwords against haveibeenpwned &#x2F; similar for your users?
======
LinuxBender
This makes sense to me. We did something similar, just not in docker, but
docker is just packaging/deployment.

------
reimertz
Hi there,

Is there a reason why you don't integrate with their API instead? Seems like
they offer have what you need:
[https://haveibeenpwned.com/API/v2](https://haveibeenpwned.com/API/v2)

~~~
fuhrysteve
How much do you trust k-anonymity?

