I find this hilarious, slightly disturbing, but very thought-provoking. Can N=2+ companies try to find password reuse amongst themselves, without leaking anything? Is it even possible, without absolute trust between them? I wonder.
They could cross-check each other’s databases with Pwned Passwords style (also quite similar to one of Google Safe Browsing APIs) k-anonymity on the queries.
After watching the first half of the demo, I expected the checker be evil in a different way: by always finding a problem with the given password, in a way consistent with previously-given rules. That would also have been fun to see.
Your password must be at least 8 characters long
Your password must contain at least one uppercase letter, one lowercase letter, and one number
Your password may not contain a dictionary word ("Hunter")
Your password may not contain a dictionary word ("a")
Your password may not contain these punctuation characters: ( )
Your password may not start or end with these punctuation characters: ' "
Your password may be no longer than 11 characters
I love this, but it needs to be a JS package in NPM.