This new file sounds good to me. Whilst you're at it, what is the new file size?
I downloaded the gist, took only column 3 (the actual passwords) and gzipped it, it came to 81K over the existing 3.8K. Uncompressed that's 163K over 7.1K. It would probably warrant a smarter checking algorithm over the current one, where the validator loads the whole file into memory on initialization (and doesn't share it between instances). OOI have you seen https://github.com/ubernostrum/pwned-passwords-django/ , which uses Troy Hunt's massive API for all leaked passwords ? On 30 March 2018 at 06:31, Curtis Maloney <cur...@tinbrain.net> wrote: > By which I mean... hi Brenton! Great to see you being active again :) > > It's great you've taken the time to do this, and the benefits are very > clear [improved security], but what are the costs? > > Whilst you're at it, what is the new file size? > > -- > Curtis > > > > > On 03/30/2018 04:26 PM, Curtis Maloney wrote: > >> What sort of performance impact is this having over the existing list? >> >> What's the additional memory load, if any? >> >> -- >> Curtis >> >> >> On 03/30/2018 04:24 PM, Brenton Cleeland wrote: >> >>> Three years ago Django introduced the CommonPasswordValidator and >>> included a list of 1,000 passwords considered to be "common". That list was >>> based on leaked passwords and came from xato.net[1]. >>> >>> I'd like to update the list to >>> >>> a) be from a more reliable / recent source >>> b) be larger and more in line with the NIST recommendations >>> >>> Security researcher Troy Hunt has published a massive list of leaked >>> passwords, including frequencies on Have I Been Pwned[2]. The top 20,000 of >>> which are available in a gist from Royce Williams[3], including the >>> frequency, md5 hash and plain text password. >>> >>> Interestingly there's 27 passwords in the Django list that aren't in the >>> HIBP list. I'd post them here but they're mostly short and not safe for >>> work. >>> >>> I've created a ticket for the increase in size[4] but wanted to check in >>> and make sure this is something django-developers thinks is valuable. >>> >>> Cheers, >>> Brenton >>> >>> [1]: https://web.archive.org/web/20150315154609/https://xato.net/ >>> passwords/more-top-worst-passwords/#.Wr3H1chxV25 >>> [2]: https://haveibeenpwned.com/Passwords >>> [3]: https://gist.github.com/roycewilliams/281ce539915a947a23db17 >>> 137d91aeb7 >>> [4]: https://code.djangoproject.com/ticket/29274 >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Django developers (Contributions to Django itself)" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to django-developers+unsubscr...@googlegroups.com <mailto: >>> django-developers+unsubscr...@googlegroups.com>. >>> To post to this group, send email to django-developers@googlegroups.com >>> <mailto:django-developers@googlegroups.com>. >>> Visit this group at https://groups.google.com/group/django-developers. >>> To view this discussion on the web visit https://groups.google.com/d/ms >>> gid/django-developers/0a215878-9d3f-4446-a018-602694f54904% >>> 40googlegroups.com <https://groups.google.com/d/m >>> sgid/django-developers/0a215878-9d3f-4446-a018-602694f54904% >>> 40googlegroups.com?utm_medium=email&utm_source=footer>. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-developers+unsubscr...@googlegroups.com. > To post to this group, send email to django-developers@googlegroups.com. > Visit this group at https://groups.google.com/group/django-developers. > To view this discussion on the web visit https://groups.google.com/d/ms > gid/django-developers/2cb005ec-5f22-a77e-ddeb-791ab85ff03c%40tinbrain.net. > > For more options, visit https://groups.google.com/d/optout. > -- Adam -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAMyDDM2m38bOn_4gOdGkHpXK5wEuJf0i%2Bj74JvJLJyJmrQwoFA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
