solardiz
commented
2 weeks ago FWIW, I implemented a cuckoo filter in passwdqc, for Pwned Passwords v8's 847+ million passwords in 3.5 GB at a less than 1 in a billion false positive rate. Sure it could be much smaller for a "mere" 99.9% accuracy rate, but 3.5 GB should be affordable enough to have effectively no false positives.
Considering that Troy Hunt released Pwned Passwords in NTLM format a few months ago (https://www.troyhunt.com/pwned-passwords-now-as-ntlm-hashes/) I was wondering if OpenPasswordFilter could add an option to use a bloom filter so that we can query the 30 GB database very quickly and end up taking a lot less space (less than 1 GB). I know that the fork by brockrob (https://github.com/brockrob/OpenPasswordFilter) supports online looks up Pwned Passwords but most enterprise environments won't have their DCs making outbound connections. Even at a 99.9% accuracy rate, I think we can get the DB size down to 700 MB or so.