|
|
|
|
|
|
by scarhill
2707 days ago
|
|
|
Exactly. I think of the HIBP password list as having three types of passwords (this is an oversimplification, but bear with me): 1) Extremely weak ones that lots of people use (e.g. 'password1')
2) Somewhat unique ones (their pet's name and birthday)
3) Truly strong ones (random, long strings) I don't want users on my site using type 1 passwords at all. If a password is really type 3, the odds say that no user will ever try to use it again, so there's no collateral damage in blocking it. The person signing up with a type 2 is almost certainly the same user whose credentials are in the breach. I don't want them to reuse that password on my site because it makes their account vulnerable to credential stuffing. |
|
|