I'm working on an open-source API aimed at stopping weak passwords at registration by checking them against a vast dictionary of 64 million leaked passwords. To keep passwords private, I implemented a k-anonymity approach where only a SHA-256 hash's prefix is sent to the API. The API then returns candidate suffixes for comparison without ever exposing the actual password.
I'm using AWS Lambda with Docker, a memory-mapped binary index, and a Bloom filter to ensure sub-millisecond lookups without exceeding memory limits. The entire setup is deployed via Terraform, but I've relied on AI for parts of the Python application code and Bloom filter implementation. I would love to get feedback from other developers or anyone experienced in AppSec regarding improvements or overlooked edge cases in my implementation.
5 Answers
It's great to see innovative solutions, but have you considered implementing basic password complexity rules? Filtering out weak passwords before they reach your API could save significant resources and time.
This is a super clever approach using mmap and Bloom filters, but I'm curious about the practical implications—like handling false positives in the Bloom filter. Are you okay with rejecting unique but strong passwords occasionally?
I like the design overall, but a prefix of just 5 hex characters could lead to a higher than expected number of candidates—have you thought about rate limiting or abuse control? Plus, using an existing solution like HIBP could save effort.
I get the creativity, but isn’t this a bit too complex? Why not just enforce stricter password policies and MFA? Seems like you've built a really intricate solution for a problem that could be simplified.
Interesting project! Just a thought, though: isn't there a chance users pick passwords that still adhere to your complexity rules but are also in your leak list? There should be a balance between enforcing rules and checking against the leaks.
Related Questions
How To: Running Codex CLI on Windows with Azure OpenAI
Set Wordpress Featured Image Using Javascript
How To Fix PHP Random Being The Same
Why no WebP Support with Wordpress
Replace Wordpress Cron With Linux Cron
Customize Yoast Canonical URL Programmatically