How to Fit a 64 Million Password Dictionary into AWS Lambda Using mmap and Bloom Filters?

By
William Rossbach
-
0
11
Asked By DevOpsNinja23 On

I'm working on an open-source API aimed at stopping weak passwords at registration by checking them against a vast dictionary of 64 million leaked passwords. To keep passwords private, I implemented a k-anonymity approach where only a SHA-256 hash's prefix is sent to the API. The API then returns candidate suffixes for comparison without ever exposing the actual password.

I'm using AWS Lambda with Docker, a memory-mapped binary index, and a Bloom filter to ensure sub-millisecond lookups without exceeding memory limits. The entire setup is deployed via Terraform, but I've relied on AI for parts of the Python application code and Bloom filter implementation. I would love to get feedback from other developers or anyone experienced in AppSec regarding improvements or overlooked edge cases in my implementation.

5 Answers

Answered By CodeMaster95 On

It's great to see innovative solutions, but have you considered implementing basic password complexity rules? Filtering out weak passwords before they reach your API could save significant resources and time.

Answered By BackendBandit44 On

This is a super clever approach using mmap and Bloom filters, but I'm curious about the practical implications—like handling false positives in the Bloom filter. Are you okay with rejecting unique but strong passwords occasionally?

Answered By SecuritySavvy101 On

I like the design overall, but a prefix of just 5 hex characters could lead to a higher than expected number of candidates—have you thought about rate limiting or abuse control? Plus, using an existing solution like HIBP could save effort.

Answered By TechGuru88 On

I get the creativity, but isn’t this a bit too complex? Why not just enforce stricter password policies and MFA? Seems like you've built a really intricate solution for a problem that could be simplified.

Answered By DevWhisperer12 On

Interesting project! Just a thought, though: isn't there a chance users pick passwords that still adhere to your complexity rules but are also in your leak list? There should be a balance between enforcing rules and checking against the leaks.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.