Troy Hunt

Hi, I'm Troy Hunt, I write this blog, run "Have I Been Pwned" and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

I want a "secure by default" internet with all the things encrypted all the time such that people can move freely between networks without ever needing to care about who manages them or what they're doing with them. I'm a massive proponent of Let's Encrypt's and Cloudflare's missions to secure the web and of browser paradigms such as HSTS and upgrade-insecure-requests via content security policies to help make it a reality. Yet I also find myself constantly using VPNs for a variety of security and privacy related reasons and it got me thinking - why? I mean what's the remaining gap? Last month I announced I've partnered with NordVPN as a strategic adviser and as part of that effort, I...

Weekly Update 208

The highlight of my week was absolutely getting the Shelly 1 units behind a couple of my light switches working as I'd always dreamed. It just opens up so many automation possibilities that I'm really excited about what I might do in the future with them now. When I get the place to a standard I'm happy with, I'll definitely do a good walkthrough and show how it all works. Until then, this week's update has some general infosec stuff but chief amongst that is the Giggle app situation. So many layers on this one, so many layers... ReferencesGot the Shelly 1 working absolutely perfectly! (this is precisely what I always envisaged)Don't say your app is "highly secure" while...

Weekly Update 207

I kicked off a little bit earlier on this one in order to wrap up before the Burning Minds keynote, and it's interesting to see just how much difference that little sliver of sunlight makes to the video quality. Check the very start of the video versus the very end; this is the sunset slipping through the crack in the fully drawn blinds, make a massive difference. In other news, I'm talking about how I prepare my talks and deliver them timed down to the minute (I had 20 seconds spare on this one), the dramas I'm having with the Shelly units and putting another dozen neon lights in the house, how encryption and hashing are fundamentally different and we...

We Didn't Encrypt Your Password, We Hashed It. Here's What That Means:

You've possibly just found out you're in a data breach. The organisation involved may have contacted you and advised your password was exposed but fortunately, they encrypted it. But you should change it anyway. Huh? Isn't the whole point of encryption that it protects data when exposed to unintended parties? Ah, yes, but it wasn't encrypted it was hashed and therein lies a key difference: Saying that passwords are “encrypted” over and over again doesn’t make it so. They’re bcrypt hashes so good job there, but the fact they’re suggesting everyone changes their password illustrates that even good hashing has its risks. https://t.co/21V6Vte6Wa — Troy Hunt (@troyhunt) September 2, 2020 I see this over...

Weekly Update 206

Since I recorded this morning, I've had an absolute breakthrough - I CAN OPEN MY GARAGE DOOR WITH MY WATCH! I know, I know, it shouldn't be this hard and that's a lot of the point I'm making in this week's video. Having said that, some parts have been hard because I've made simple mistakes, but the nature of the IoT ecosystem as it stands today predisposes you to mistakes because there's so freakin' many moving parts that all need to be aligned. More on that in the video, plus some actual infosec content too! More on all of that next week 😊 ReferencesThe BBC is now using Pwned Passwords (hitting the k-anonymity API too, plus wrote a great description of...

Weekly Update 205

Between still feeling a little groggy after hitting the water hard on an early wake boarding session then my camera overheating and shutting down towards the end of the live stream, this wasn't the smoothest of weekly updates, I still got across everything I needed to. I'm especially excited about those Shelly 1 units for cheaply IoT'ing existing lights and I'm hoping to have some of that up and running next week. Until then, here's episode 205: ReferencesI got an award! (2020 (ISC)² Global Achievement Awards: Celebrating achievements in cybersecurity)I'm going to put a bunch of Shelly 1 units behind light switches (this is a really neat way of IoT'ing your house)New lighting systems in Aus tend to...

Weekly Update 204

It's an extra early one this week and on review, I do look a bit... dishevelled! I run through a whole bunch of things from this week's Twitter timeline and there's some great audience questions this week too so thanks very much everyone for the engagement. Next we'll do it at the other end of the day again and I'm sure there'll be a heap of new stuff to cover before then. ReferencesThe feedback on open-sourcing HIBP has been 99.99% positive (that's about as good as you can ever hope for on the internet!)I reckon 10TB Western Digital Red drives are the sweet spot for storing data at volume these days (not everyone agrees, of course)Amazing how...

Weekly Update 203

What. A. Week. I've been absolutely non-stop publishing data breaches to HIBP whilst simultaneously putting in place the framework to start advising NordVPN on their cybers and open sourcing the HIBP code base at the same time (and a bunch of other more boring stuff that didn't make the cut). That's all explained in this week's update so I won't drill further into it here, there's obviously a couple of big announcements so if you have any questions, drop them in the comments below and I'll either answer them there or take them up in next week's update. ReferencesOur state border to the south is now in a "hard" lockdown (that link is for the stats state by state)Breaches,...

I'm Open Sourcing the Have I Been Pwned Code Base

Let me just cut straight to it: I'm going to open source the Have I Been Pwned code base. The decision has been a while coming and it took a failed M&A process to get here, but the code will be turned over to the public for the betterment of the project and frankly, for the betterment of everyone who uses it. Let me explain why and how. HIBP is a Community ProjectI've been giving a great deal of thought to how I want this project to evolve lately, especially in the wake of the M&A process that ended earlier this year right back where I'd started: with me being solely responsible for everything. The single...

I'm Partnering with NordVPN as a Strategic Advisor

I love security. I love privacy. Consequently, it will come as no surprise that I love tools that help people achieve those objectives. Equally, I have no patience for false promises, and I've been very vocal about my feelings there: But one of them is literally called “Secure VPN”, how is this possible?! “Are You Using These VPN Apps? Personal Info Of 20 Million Users Leaked: That’s 1.2TB Data” https://t.co/BPDww70Pgo — Troy Hunt (@troyhunt) July 20, 2020 VPNs are a great example of where a tool can be used to enhance security and privacy but often, they fall short of delivering on the promise. When you use a VPN, you're trusting a third party with...