Show HN: PwnedPasswords as a (Micro)Service

Recently I became interested in knowing whether the passwords I used were in the list of breached passwords. One way to find out is to send your password to the link here https:&#x2F;&#x2F;haveibeenpwned.com&#x2F;Passwords. However, while the owner of that website is a well respected security researcher, I still don&#x27;t think it&#x27;s wise to send my password to another website. So I downloaded the 24gb file, hashed my password and grepped the file for it.<p>That unfortunately took a long time and I realized this was the perfect opportunity to use a BloomFilter and test the inclusion of a password in a set.<p>With a bloomfilter, the 24gb file can be compressed down to ~2gb assuming a false positive rate of 1 in a million. You can achieve even better rates with lower false positives. Despite it dropping to 2gb, I wasn&#x27;t satisfied and decided to compress the bloomfilter using golomb codes. This type of data structure is known as a golomb set and I was able to get the database down to ~1.475gb.<p>That makes it small enough to exist in a microservice that any company can use to test whether users are using hacked passwords. With a golomb set the time to test a password was microseconds. I made some node js bindings and put the file in a simple express app. Now anyone can create a pwned password as a micro-service! It&#x27;s open source because you can audit the code and confirm no one is logging your passwords.<p>Anyway thought I&#x27;d share it since I&#x27;m more or less done with this. Future work could split the 2gb file into on disk files and therefore require significantly less ram to work. This would be a great use case of storing the entire list in a laptop or phone for example, where it would take 1.5gb of disk, but be able to quickly tell you if a password you are typing is in a breached list.<p>Anyways here&#x27;s the link:<p>https:&#x2F;&#x2F;github.com&#x2F;terencechow&#x2F;PwnedPasswords<p>Cheers!