Have I Been Pwned

I'm still pretty amazed at how much traction Pwned Passwords [https://haveibeenpwned.com/Passwords] has gotten this year. A few months ago, I wrote about Pwned Passwords in Practice [https://www.troyhunt.com/pwned-passwords-in-practice-real-world-examples-of-blocking-the-worst-passwords/] which demonstrates a whole heap of great use cases where they've been used in registration, password reset and login flows. Since that time, another big name has come on board too [https://blog.github.com/2018...

Two of my favourite developer things these days are Azure Functions [https://www.troyhunt.com/azure-functions-in-practice/] and Cloudflare Workers [https://scotthelme.co.uk/cloudflare-workers-report-uri/]. They're both "serverless" in that rather than running on your own slice of infrastructure, that concept is abstracted away and you get to focus on just code executions rather than the logical bounds of the server it runs on. So for example, when you have an Azure function and you deploy it und...

Over recent weeks, I've begun planning the release of the 3rd version of Pwned Passwords. If you cast your mind back, version 1 came along in August last year [https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/] and contained 320M passwords. I made all the data downloadable as SHA-1 hashes (for reasons explained in that post) and stood up a basic API to enable anyone to query it by plain text password or hash. Then in Feb, version 2 landed [https://www.troyhunt...

One of the most alarming trends I've seen in the world of data breaches since starting Have I Been Pwned [https://haveibeenpwned.com/] (HIBP) back in 2013 is the rapid rise of credential stuffing [https://www.owasp.org/index.php/Credential_stuffing] attacks. Per the definition in that link, it simply means this: > Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts. This form of attack relies on a combination...

Pretty much every day, I get a reminder from someone about how little people know about their exposure in data breaches. Often, it's after someone has searched Have I Been Pwned [https://haveibeenpwned.com/] (HIBP) and found themselves pwned somewhere or other. Frequently, it's some long-forgotten site they haven't even thought about in years and also frequently, the first people know of these incidents is via HIBP: > large @ticketfly [https://twitter.com/ticketfly?ref_src=twsrc%5Etfw] data bre...

Running Have I Been Pwned [https://haveibeenpwned.com/] (HIBP) has presented some fascinating insights into all sorts of aspects of how data breaches affect us; the impact on the individual victims such as you and I, of course, but also how they affect the companies involved and increasingly, the role of government and law enforcement in dealing with these incidents. Last week I had an all new situation arise related to that last point and I want to explain it properly here so it makes sense if...

Back in August, I pushed out a service as part of Have I Been Pwned [https://haveibeenpwned.com/] (HIBP) to help organisations block bad passwords from their online things. I called it "Pwned Passwords" and released 320M of them from real-world data breaches [https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/] via both a downloadable file and an online service. This was in response to NIST's Digital Identity Guidelines [https://www.nist.gov/itl/tig/special-publ...

A couple of months ago, I shared news of on-boarding the UK and Australian governments to Have I Been Pwned [https://www.troyhunt.com/the-uk-and-australian-governments-are-now-monitoring-their-gov-domains-on-have-i-been-pwned/] (HIBP). As I explained at the time, I wanted to provide the folks there with easy access to their respective government domains which meant providing them with the facility to query at the TLD level - namely, .gov.uk and .gov.au - as well as across a handful of their oth...

When I launched Pwned Passwords in August [https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/], I honestly didn't know how much it would be used. I made 320M SHA-1 password hashes downloadable and also stood up an API to query the data "as a service" by either a plain text password or a SHA-1 hash. (Incidentally, for anyone about to lose their mind over SHA-1, read that launch post as to why that hashing algorithm is used.) But the service did become quite popu...

The penny first dropped for me just over 7 years ago to the day: The only secure password is the one you can't remember [https://www.troyhunt.com/only-secure-password-is-one-you-cant/]. In an era well before the birth of Have I Been Pwned [https://haveibeenpwned.com/] (HIBP), I was doing a bunch of password analysis on data breaches and wouldn't you know it - people are terrible at creating passwords! Of course, we all know that but it's interesting to look back on that post all these years late...