A brilliant - and also terrible - idea - for discussion only

[softwarecreations]

Why it's brilliant
Search the first n characters of the password on a search engine.
See how many results there are.
That can be like as one of the password scores. (the more results, lower the score)

Why it's terrible
The password will no longer be a secret if you send it to a search engine.
This is probably a showstopper for the idea.
You can limit the damage by only sending half of the password, or the first n words/tokens or whatever.

Inspired by the discussion in #63
The reason I came up with the idea. Is if someone uses a password like
maryhadalittlelambwhosfleecewaswhiteassnow
or whatever, it would likely return a billion search results, even though zxcvbn as is would probably think it's an amazing password.

[MrWook]

Like you wrote it yourself you can't just send a password to search engine xy. This is just a no go. The HaveIBeenPwned matcher is already kind of shady but in that implementation you hash the password and only send the first 5 chars of the hash to them.
But in general this is kind of covered by the common word and wikipedia dictionary.
An option would be to search for google search engine lists and include them as a dictionary.

But if someone really wanna get insulted by privacy advocates the person could build a custom matcher for the search engines :D.

[Tostino]

Along a similar vein of terrible ideas, I am going to document this here.

You could also have a matcher that tries to login to a bunch of services with the credentials of the user and fails them for password reuse.
No one ever implement that.

[softwarecreations]

EDIT (I thought about it more, now I think your idea is a bad idea, but I'm leaving my message as is, as I wrote it)

That's a good idea, but I believe it should be a separate project. It would be a lot of work to maintain, as websites would change their login flow and HTML etc all the time. You'd definitely need funding for that to make it of any value. (trying to login to at least 10 online services)

Another possible option is that HaveIBeenPwned thing. There might be stable API's for that.
So you hash the password in the prescribed manner, send it to the HaveIBeenPwned service, and they tell you if your password is unique or whatever. (so you find out if your new password is unique without needing to trust HaveIBeenPwned is honest or hasn't been hacked). What I'm saying now, could be part of this project, for sure, because it would be 1~3 services and a stable API, and provide a lot of value.

Also another problem with your idea is it would increase load on 3rd party sites, and consume energy and resources for little value. 3rd party services would definitely be very unhappy about it. It takes a lot of CPU power to hash passwords when someone tries to login.

There's also a negative security impact of doing what you're proposing, because the 3rd party site is not expecting or supporting you to do this. So you would have to send the password to 10 or more sites in plain text. Which violates the whole principle of using a unique password for each online site/service. So overall I think your idea seems nice initially but is bad once you explore the concept further.

There is the added problem that a lot of developers are idiots and they store passwords in plain text or they just md5 sum the passwords without even salting or whatever. And now (with your idea) you're multiplying your risk of being hacked by 1 + the number of online services that you send your unwanted login attempts to.

You could also get the user's IP address banned and put onto blacklists. Some software might decide the automated password attempts on their sites are malicious and then the user can't send email or login to various places until they find out that their hostname/IP address is banned.

Thanks for sharing your idea, it's good to come up with ideas. Some will be good some will be bad. It's part of the game. We need to dig through dirt to find gold and diamonds. I would not support your idea. But I think using some sort of HaveIBeenPwned API would be good!

[MrWook]

The HaveIBeenPwned api is already implemented as a custom matcher @zxcvbn-ts/matcher-pwned ;)
If the password is found in the api it will score the password immediately with a 0

[Tostino]

Don't worry, I don't support my idea either! But I've seen the sentiment used before by people not thinking through all the security implications you laid out in your post.

I figured it'd be better to list it out as an idea with a warning against it rather than let it be suggested or implemented later down the line.

The HIBP api is a much better solution to the same problem.

[softwarecreations]

The HaveIBeenPwned api is already implemented as a custom matcher @zxcvbn-ts/matcher-pwned ;) If the password is found in the api it will score the password immediately with a 0

Geez, f$#%ing amazing