Hacker News
new
|
past
|
comments
|
ask
|
show
|
jobs
|
submit
login
OliverM
on June 2, 2017
|
parent
|
context
|
favorite
| on:
Hacker, Hack Thyself
Wouldn't it be easer to just test the submitted password against the 10,000 most common passwords directly, and refuse it then?
proaralyst
on June 2, 2017
[–]
Which they already do; from the post:
> Users cannot use any password matching a blacklist of the 10,000 most commonly used passwords.
git_SHA
on June 2, 2017
|
parent
|
next
[–]
I read the post but somehow missed that. Sincere apologies.
infogulch
on June 2, 2017
|
parent
|
prev
[–]
My question is, is 10k good enough? Wouldn't it be better to check against more? 50k?
gwern
on June 2, 2017
|
root
|
parent
|
next
[–]
Presumably more is always better, but there's a very long tail of passwords so the hit rate will drop off a cliff, and now you're storing 5x as much data for increasingly questionable benefit.
codinghorror
on June 2, 2017
|
root
|
parent
|
prev
[–]
the problem is once you get to 10+ char passwords the common password list gets really tiny
Guidelines
|
FAQ
|
Lists
|
API
|
Security
|
Legal
|
Apply to YC
|
Contact
Search:
