1. 38
  1. 6

    I find this hilarious, slightly disturbing, but very thought-provoking. Can N=2+ companies try to find password reuse amongst themselves, without leaking anything? Is it even possible, without absolute trust between them? I wonder.

    1. 3

      They could cross-check each other’s databases with Pwned Passwords style (also quite similar to one of Google Safe Browsing APIs) k-anonymity on the queries.

    2. 6

      After watching the first half of the demo, I expected the checker be evil in a different way: by always finding a problem with the given password, in a way consistent with previously-given rules. That would also have been fun to see.

      > hunter2
      Your password must be at least 8 characters long
      > myhunter2
      Your password must contain at least one uppercase letter, one lowercase letter, and one number
      > myHunter2!
      Your password may not contain a dictionary word ("Hunter")
      > Z{x8PQXae3PR
      Your password may not contain a dictionary word ("a")
      > mMLlH7(4!Jhu
      Your password may not contain these punctuation characters: ( )
      > 'GQxR*3E3]r]
      Your password may not start or end with these punctuation characters: ' "
      > zc7yWkE6KDyv
      Your password may be no longer than 11 characters
      1. 3

        I love this, but it needs to be a JS package in NPM.