I find this hilarious, slightly disturbing, but very thought-provoking. Can N=2+ companies try to find password reuse amongst themselves, without leaking anything? Is it even possible, without absolute trust between them? I wonder.
They could cross-check each other’s databases with Pwned Passwords style (also quite similar to one of Google Safe Browsing APIs) k-anonymity on the queries.
After watching the first half of the demo, I expected the checker be evil in a different way: by always finding a problem with the given password, in a way consistent with previously-given rules. That would also have been fun to see.
> hunter2
Your password must be at least 8 characters long
> myhunter2
Your password must contain at least one uppercase letter, one lowercase letter, and one number
> myHunter2!
Your password may not contain a dictionary word ("Hunter")
> Z{x8PQXae3PR
Your password may not contain a dictionary word ("a")
> mMLlH7(4!Jhu
Your password may not contain these punctuation characters: ( )
> 'GQxR*3E3]r]
Your password may not start or end with these punctuation characters: ' "
> zc7yWkE6KDyv
Your password may be no longer than 11 characters
I find this hilarious, slightly disturbing, but very thought-provoking. Can N=2+ companies try to find password reuse amongst themselves, without leaking anything? Is it even possible, without absolute trust between them? I wonder.
They could cross-check each other’s databases with Pwned Passwords style (also quite similar to one of Google Safe Browsing APIs) k-anonymity on the queries.
After watching the first half of the demo, I expected the checker be evil in a different way: by always finding a problem with the given password, in a way consistent with previously-given rules. That would also have been fun to see.
I love this, but it needs to be a JS package in NPM.