Add database of passwords longer than 8 characters
With the new NIST guideline of 8 character minimum password length, it would be useful to have a database of only passwords 8 characters or longer. My assumption is that this would reduce the size of the database significantly.
Dain Sundstrom
shared this idea
Multiple problems with this, namely that it then creates redundant copies of the same data and then where do you stop? A 10 char DB? A 13 one? But it also doesn’t matter if you’re using the k-anonymity API which I’m strongly pushing people towards, particularly because of this: https://www.troyhunt.com/pwned-passwords-open-source-in-the-dot-net-foundation-and-working-with-the-fbi/
-
Dain Sundstrom
commented
I understand what you are saying, and the possible future implications. On the other hand, 8+ is the new NIST standard, and my assumption (which could be wrong) is that once you drop the 1-7 character passwords you end up with a dramatic reduction in database size. If it is small enough, I could simply load the entire database into my server and just look up directly. The cuts out a lot of complex questions a service adds to software development like compliance and uptime.
Assuming this is still a no, can you satisfy my curiosity and provide a breakdown of passwords by length? or maybe you never get that information?