Troy Hunt has released Pwned Passwords v2 has part of his Have I Been Pwned service, which tracks data breaches: Have I Been Pwned: Pwned Passwords
The password checker uses a great privacy-preserving and cache-friendly design that’s dead simple to integrate. Blog post here: Troy Hunt: I Wanna Go Fast: Why Searching Through 500M Pwned Passwords Is So Quick but I’ll post a quick summary:
$ echo -n 'commonpassword' | shasum bee858a53297f2feec01e084c3e110c296a7fd72 - $ curl -sL https://api.pwnedpasswords.com/range/BEE85 | grep '8A53297F' 8A53297F2FEEC01E084C3E110C296A7FD72:91
therefore, ‘commonpassword’ has appeared 91 times in processed password dumps.
This offers great support to query a very large dataset without having to have a copy on every single Discourse site. As prior art, WordFence (a WordPress firewall plugin) has integrated it to block admin logins with weak passwords starting today (password resets are enforced on login):
Integrating this as an alternative to the 10k password list (many of which are moot due to length limits) seems like a good idea.
Discourse-hosted sites could use a local copy of the hash lists to avoid excess network requests, while self-installs would need to use the web service with custom caching.
Previous discussions: Min Password Length vs Block Common Passwords