|
|
|
|
|
|
by twisteriffic
934 days ago
|
|
|
> Oh yea I remember HIBP has an online API. Don't use this. That's not the greatest advice IMO. The API gets updated data more frequently, doesn't require that you transmit the password or a useable hashed form, and it's dead simple to consume. I'd argue that it's more effort to maintain an internal store and synchronization infrastructure, and you're less likely to accidentally breach anonymity and leak a weak hash by using the API than you are rolling your own query against the raw data. It's also used by hundreds of bigcorps and government agencies who have way more pedantic lawyers than you're likely to have. If they couldn't find a good reason not to use it I doubt yours will. |
|
|
Just as many arguments can be made for an offline check. Or against an online check. From added latency via required uptime to added dependencies.
My point being: no. "It depends"