Hacker News new | past | comments | ask | show | jobs | submit login

Would it be a bad security practice to keep a database of the SHA hashes of maybe the 10 000 most common passwords then alert users who try to use them? Obviously you would do the comparison before applying your actual bcrypt/PBKDF2 function with salt.



Wouldn't it be easer to just test the submitted password against the 10,000 most common passwords directly, and refuse it then?


Which they already do; from the post:

> Users cannot use any password matching a blacklist of the 10,000 most commonly used passwords.


I read the post but somehow missed that. Sincere apologies.


My question is, is 10k good enough? Wouldn't it be better to check against more? 50k?


Presumably more is always better, but there's a very long tail of passwords so the hit rate will drop off a cliff, and now you're storing 5x as much data for increasingly questionable benefit.


the problem is once you get to 10+ char passwords the common password list gets really tiny




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: