Ask HN: Is a 10Gb Docker image with the haveibeenpwned db on it a bad idea?

2 pointsfuhrysteve7y ago3 comments

We have a site with sensitive data on it, and need to verify that when users create a new password that the password has not been previously exposed in a known breach. The way everyone seems to be doing this is by downloading and searching the 10gb haveibeenpwned database for sha1 matches of the candidate password.

We know that it's best practice to keep docker images small, however this seems like a tempting solution for an annoying problem: simply make a 10Gb Docker image that downloads the haveibeenpwned database (which is ~10Gb) as part of the image, and expose a searchable API. Sure it would be slow to deploy an image that large on Kubernetes, but it seems like it'd otherwise be easy to maintain.

How are you checking passwords against haveibeenpwned / similar for your users?

3 comments

LinuxBender7y ago

This makes sense to me. We did something similar, just not in docker, but docker is just packaging/deployment.

reimertz7y ago

Hi there,

Is there a reason why you don't integrate with their API instead? Seems like they offer have what you need: https://haveibeenpwned.com/API/v2

fuhrysteveOP7y ago

How much do you trust k-anonymity?

j / k navigate · click thread line to collapse