Hacker News new | past | comments | ask | show | jobs | submit login

Your code uses the first 5 digits of the hex digest of the SHA1. This 5-digit hex number has roughly 1 million combinations.

That seems way too low.

For context: If you take just dictionary words from the world's 5 most popular languages, you'd have more than 0.5 million words.




This is from the API docs, you are not allowed to pick the number of digits.

https://haveibeenpwned.com/API/v2#SearchingPwnedPasswordsByR...


Oh I see, so you send only the first 5 digits, but you then get back ~16,730 digits (478 * (40-5)) and search those for your full hash.


So what if you then took positives from 5dig hash matches and searched then through 7dig hash matches? Like a sieve?

With a good cache, thatd save some bandwidth.

Maybe that's wishful thinking. I can't imagine checking new passwords more than a few dozen times per second at the most. Bigger sites probably just write their own password integrity tools.


I applaud your optimism!

Most places just enforce byzantine password requirements, 13 digits, must have ~, uppercase and a palindrome prime integer in it.

Obligatory password XKCD, think of the children. https://xkcd.com/936/


I can imagine if there was a more standard password definition, eventually specialized hardware would adapt to whatever the standard was, in terms of cracking attacks.

I use a memory trick to have very strong passwords, but most people probably wouldn't be willing to invest the effort.

Someday there will be a better way.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: