Troy Hunt

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals

Banks, Arbitrary Password Restrictions and Why They Don't Matter

Allow me to be controversial for a moment: arbitrary password restrictions on banks such as short max lengths and disallowed characters don't matter. Also, allow me to argue with myself for a moment: banks shouldn't have these restrictions in place anyway. I want to put forward cases for both arguments here because seeing both sides is important. I want to help shed some light on why this practice happens and argue pragmatically both for and against. But firstly, let's just establish what's happening: People are Upset About Arbitrary RestrictionsThis is actually one of those long-in-draft blog posts I finally decided to finish after seeing this tweet earlier on in the week: My bank tells me that their exactly-5-digit password policy...

Weekly Update 156

Turns out it's actually a sunny day in Oslo today, although it's the last one I'll see here for quite some time before heading off to Denmark then other European things for the remainder of this trip. I'm talking a little about those events (all listed on my events page), this week's changes to EV, more data breaches and a somewhat semantic argument about the definition of "theft". ReferencesEntrust are convinced you should still pay them for EV certs (even though the primary value proposition they're still promoting is now gone...)Scott killed a million bucks worth of EV certs (it turns out that extended validation isn't always so... extended)The Void.to hacking forum got breached and is now...

Weekly Update 155

From the emerging spring to the impending autumn, I'm back in Oslo at the beginning of another series of European events that'll take me across Norway, Denmark, Hungary and Switzerland. This week's update comes from under the glow of a warm outdoor heater at ridiculous o'clock as my sleep cycle keeps me making early starts. But it's all transient and by this time next month I'll be back to a very warm, very familiar Aussie landscape. For now, here's what's new on my side: ReferencesThere's 419M Facebook users' phone numbers floating around (looks like abuse of a now deprecated feature and no, it's not going into HIBP)Chrome 77 is about to hit and finally kill off EV for good...

Weekly Update 154

How's that for a setting in this week's video? 🌴 First day of spring here which aligned with a father's day on the water: May all your father’s days be full of fun and laughter 😎 pic.twitter.com/pN1dQ38cDr — Troy Hunt (@troyhunt) September 1, 2019 Back on business as usual, there's the SIM hijacking issue with Jack Dorsey's Twitter account, more data breaches and joyously, the HIBP API being back in full swing with the 500 subscription limit issue on Azure's APIM now being overcome. Next week's update will be from Oslo so a rather different scene, followed by some other cool places across Europe in the ensuing weeks. ReferencesI'm at NDC TechTown in Konsberg next week (closing keynote...

Weekly Update 153

Australia! Sunshine, good coffee and back in the water on the tail end of "winter". I'm pretty late doing this week's video as the time has disappeared rather quickly and I'm making the most of it before the next round of events. Be that as it may, there's a bunch of new stuff this week not least of which is the unexpected limit I hit with the Azure API Management consumption tier. I explain the problem in this video along with a bunch of other infosec related bits. I'll do another one from Aus later this week (if I can stick to schedule) and will try and find another nice little spot. Until then, enjoy: ReferencesI hit an unexpected limit...

Weekly Update 152

I made it out of Vegas! That was a rather intense 8 days and if I'm honest, returning to the relative tranquillity of Oslo has been lovely (not to mention the massive uptick in coffee quality). But just as the US to Europe jet lag passes, it's time to head back to Aus for a bit and go through the whole cycle again. And just on that, I've found that diet makes a hell of a difference in coping with this sort of thing: The number one most effective way I’ve found for coping with jet lag, stress, crazy work loads and general health is to focus on diet. It’s hard to control a lot of other environmental...

Extended Validation Certificates are (Really, Really) Dead

Almost one year ago now, I declared extended validation certificates dead. The entity name had just been removed from Safari on iOS, it was about to be removed from Safari on Mojave and there were indications that Chrome would remove it from the desktop in the future (they already weren't displaying it on mobile clients). The only proponents of EV seemed to be those selling it or those who didn't understand how reliance on the absence of a positive visual indicator was simply never a good idea in the first place. The writing might have been on the wall a year ago, but the death warrant is now well and truly inked with both Chrome and Firefox killing it stone...

Weekly Update 151

Well that's Vegas done. 8 days of absolutely non-stop events that's now pretty much robbed me of my voice but hey, I got a flying cow! Scott and I both spent BSides, Black Hat and DEF CON doing "hallway con" or in other words, wandering around just meeting people. The personal engagement you get from these ad hoc meetups really can't be beat and I appreciate everyone who took the time to come over and say hi. Just a sample of our week is below: Approaching a week of @BSidesLV, @BlackHatEvents and @defcon. Three conferences, tens of thousands of people and 44C temps. This’ll be interesting... pic.twitter.com/049DzhpePF — Troy Hunt (@troyhunt) August 5, 2019 The best...

Weekly Update 150

Vegas! I'm a bit late with this week's update but I thought I'd catch up with Scott Helme and do the video together. We're talking about the events in Vegas, the ongoing Project Svalbard process, some very screwy messaging about certificates from Sectigo and the Irish government coming on board HIBP. Next week we'll do another one from Vegas and talk about what the events of the week here were like. ReferencesSectigo made some pretty wild claims about EV certs (read the tweet thread by Scott)The subsequent rebuttals by David from Sectigo are worth reading (although they still don't justify the earlier claims IMHO)The Irish government is now using HIBP to monitor all their domains (they now join...

Welcoming the Irish Government to Have I Been Pwned

Over the last year and a bit I've been working to make more data in HIBP freely available to governments around the world that want to monitor their own exposure in data breaches. Like the rest of us, governments regularly rely on services that fall victim to attacks resulting in data being disclosed and just like the commercial organisations monitoring domains on HIBP, understanding that exposure is important. To date, the UK, Australian, Spanish and Austrian governments have come onboard HIBP for nation-wide government domain monitoring and today, I'm happy to welcome the Irish government as well. They now have access to all .gov.ie domains and a handful of other government ones on different TLDs. A big welcome to...