So everyday there is a new site which fesses up that they have been pwned. Someone came in, stole the lot, but don't worry, they only got something minor. And then a few days later, well, it seems there was a bit more. And by the time you stop caring about the story, it comes out that they got the universe.
And you, despite being a loyal reader of this blog, have used the same password on two sites. And you are pwned. [[ Side note: if you stop reading now, go to this link and check yourself out https://haveibeenpwned.com/ ]]
If you administrate a 'real $ network' one of your concerns is your team. You are only as strong as the weakest link. And you just know someone on your team uses the same password on some irrelevant blog as on your key customer data server.
So you concoct a plan. You will download all the leaks, and build a big database of them. A little google, a little dark-web-fu, you are there. You will make some pre-check script on your password db that checks people's proposed passwords.
And then you run into a bit of an issue. You really need to have this on everyone's desktop. And its kind of big. And its not obvious you want to do that.
So the path I have been researching is to use a type of AI called a 'Generic Adversarial Network'. The idea is to train a model on this dataset. You then ship the model to each desktop (and the model cannot be reversed since its lossy). The model would say "this password you propose it is *similar* to the dataset, and thus you should not use it. But, i found this pretty difficult to get correct-enough to use.
So today I found a different solution. Check this 'Vailidating Leaked Passwords with k-Anonymity' by cloudflare. And, cuz its 2018, a sample github repo that implements it. And its in bash! About time bash got some API love. Minus points for cheating and using curl rather than using bash built-in socket support.
So, now you that hypothetical admin, can take that github repo, and put a filter in on the client-side of 'i want to use this new password', and be safe.