Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: PwnedPasswords as a (Micro)Service
5 points by ttt111222333 7 months ago | hide | past | web | favorite | 6 comments
Recently I became interested in knowing whether the passwords I used were in the list of breached passwords. One way to find out is to send your password to the link here https://haveibeenpwned.com/Passwords. However, while the owner of that website is a well respected security researcher, I still don't think it's wise to send my password to another website. So I downloaded the 24gb file, hashed my password and grepped the file for it.

That unfortunately took a long time and I realized this was the perfect opportunity to use a BloomFilter and test the inclusion of a password in a set.

With a bloomfilter, the 24gb file can be compressed down to ~2gb assuming a false positive rate of 1 in a million. You can achieve even better rates with lower false positives. Despite it dropping to 2gb, I wasn't satisfied and decided to compress the bloomfilter using golomb codes. This type of data structure is known as a golomb set and I was able to get the database down to ~1.475gb.

That makes it small enough to exist in a microservice that any company can use to test whether users are using hacked passwords. With a golomb set the time to test a password was microseconds. I made some node js bindings and put the file in a simple express app. Now anyone can create a pwned password as a micro-service! It's open source because you can audit the code and confirm no one is logging your passwords.

Anyway thought I'd share it since I'm more or less done with this. Future work could split the 2gb file into on disk files and therefore require significantly less ram to work. This would be a great use case of storing the entire list in a laptop or phone for example, where it would take 1.5gb of disk, but be able to quickly tell you if a password you are typing is in a breached list.

Anyways here's the link:



Not to detract from your efforts, but you can actually check your passwords with HIBP without sending the plaintext password. You can send the first 5 characters of the SHA-1 hash, and it will send back the rest of hashes that match for you to compare against. See https://haveibeenpwned.com/API/v2#SearchingPwnedPasswordsByR...

haveibeenpwned.com is so great!

The entire premise of this ignores that you can use the api for HIBP to do local comparison of a password.

Nice, now we can download it to a computer, unplug it from the internet, test passwords, then burn the computer to be sure ;)

Lol. I was thinking maybe more don’t send a password to haveibeenpwned and just use your own service?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact