We have a site with sensitive data on it, and need to verify that when users create a new password that the password has not been previously exposed in a known breach. The way everyone seems to be doing this is by downloading and searching the 10gb haveibeenpwned database for sha1 matches of the candidate password.<p>We know that it's best practice to keep docker images small, however this seems like a tempting solution for an annoying problem: simply make a 10Gb Docker image that downloads the haveibeenpwned database (which is ~10Gb) as part of the image, and expose a searchable API. Sure it would be slow to deploy an image that large on Kubernetes, but it seems like it'd otherwise be easy to maintain.<p>How are you checking passwords against haveibeenpwned / similar for your users?
Hi there,<p>Is there a reason why you don't integrate with their API instead? Seems like they offer have what you need: <a href="https://haveibeenpwned.com/API/v2" rel="nofollow">https://haveibeenpwned.com/API/v2</a>