Ask HN: Is a 10Gb Docker image with the haveibeenpwned db on it a bad idea?
We have a site with sensitive data on it, and need to verify that when users create a new password that the password has not been previously exposed in a known breach. The way everyone seems to be doing this is by downloading and searching the 10gb haveibeenpwned database for sha1 matches of the candidate password.
We know that it's best practice to keep docker images small, however this seems like a tempting solution for an annoying problem: simply make a 10Gb Docker image that downloads the haveibeenpwned database (which is ~10Gb) as part of the image, and expose a searchable API. Sure it would be slow to deploy an image that large on Kubernetes, but it seems like it'd otherwise be easy to maintain.
How are you checking passwords against haveibeenpwned / similar for your users? This makes sense to me. We did something similar, just not in docker, but docker is just packaging/deployment. Hi there, Is there a reason why you don't integrate with their API instead? Seems like they offer have what you need: https://haveibeenpwned.com/API/v2 How much do you trust k-anonymity?