Hacker News new | ask | show | jobs
by Pxtl 3647 days ago
For those who didn't read TFA - it does this for the password strength checker when creating a new password, not when logging in.

Honestly, I can see the challenge here. A truly robust password strength checker would use dictionaries, making it too heavy to run on the client, and for usability reasons you'd want it to check on keypress.

But it would be nice at the very least if they'd send it as POSTs in the body, not GET parameters.
2 comments
maratd 3647 days ago
> But it would be nice at the very least if they'd send it as POSTs in the body, not GET parameters.

If the GET is being sent via XHR over SSL, how is doing a POST any more secure?

link
brandonl222 3647 days ago
The general argument here is server logs. You'll see the entire url show up for GET. By using a POST and actually putting the data in the post body you won't see it show up in logging.
link
camel_Snake 3647 days ago
My guess is simple things like the url showing up in server logs etc.
link
jessriedel 3647 days ago
Is a dictionary really that heavy? (Honest question.)
link
Pxtl 3647 days ago
The ones used by security experts are in the GB range.

Obviously you could do more efficient approaches like converting characters to recognize that P@ssw0rd is just Password, but then you've increased the algorithmic complexity you're sending to the client. If you want to get super-fancy, you've got to find word boundaries and whatnot to find that MyP45512345 is really just MyPass12345.

Of course, the simple brute force approach (server-side check if my password in this 5GB db of passwords?) might be too slow to use for this case anyways.

link
colejohnson66 3647 days ago
> The ones used by security experts are in the GB range.

Citation? The only multi gigabyte "dictionaries" I've seen are rainbow tables. I'm genuinely curious why you'd need multiple gigabytes when the Dictionary.com app a few years ago was no more than 200 megabytes.

link
FabHK 3647 days ago
The (most excellent) zxcvbn password strength checking library [1] (developed by an engineer at Dropbox) is 400 kB (compressed) including dictionaries.

[1] https://github.com/dropbox/zxcvbn

link
RussianCow 3647 days ago
Depends on how big the dictionary is. :)
link