I hope that the SHA1 hashes remain freely available for download. I use them to build a bloom filter for password vetting.
We should all do away with password complexity rules (except minimum length) and simply test a large, comprehensive exposed password bloom filter for membership. It's very fast (constant time) and efficient and if the test returns no, then it's safe for a user to select that password.
Very nice. I've never used a Golomb Set (looks interesting). I bet we'll see more organizations doing this and maybe in five to ten years, it'll be the norm.
I think it should be two step - checking against the list and if that passes, complexity check. Covers complex passwords that are known to have been in use/leaked and non-complex ones too.
We should all do away with password complexity rules (except minimum length) and simply test a large, comprehensive exposed password bloom filter for membership. It's very fast (constant time) and efficient and if the test returns no, then it's safe for a user to select that password.
Here's the code: https://github.com/w8rbt/bp
Also note that this approach satisfies the updated (June 2017) NIST 800-63-3B password vetting guidelines.