HIBP Scoring help

[Tostino]

Hey there, so with all this activity, i've finally gotten around to implementing the HIBP api in Nbvcxz. Right now I have it just scoring all found matches with a score of 0... I saw that you were doing something similar in your codebase.

Figured i'd get a discussion going on the right way to score it. Should we have the score calculated based off the "count" that comes back from the API call in some way?

Are there any arguments to be made for scoring something that matches, regardless of the count, as non-zero? I do think there is something to be said for a password showing up a single time in a single breach not being inherently "worthless" entropy wise. We know the entries in our "password" database are in breaches, though we still give them a score and calculate some entropy value.

[MrWook]

When I implemented it for the first time I started experimenting with

// This is the current highest count of a password in the hash list

const PWNED_HIGHEST_HASH_COUNT = 2877689
const PWNED_PASSWORD_AMOUNT = 572611621

With that i got something like 198 for the most used password and 39594 for the least used passwords. But I don't know what happened. Somehow I broke it and then I couldn't get it to work anymore and so I just took 1 as the guess count.

So i would say those both values are our arguments. But I think they have also changed in the meantime