Troy Hunt

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals

Add-ons, Extensions and CSP Violations: Playing Nice with Content Security Policies

You know what I really like? A nice, slick, clean set of violation reports from the content security policy (CSP) I run on Have I Been Pwned (HIBP). You know what I really don't like? Logging on to Report URI and being greeted with something like this:This blog post is about how add-ons and extensions in browsers cause CSP violations like the ones above and how they should be dealt with. Some brief background first as I'll be sharing this post with a bunch of folks for which this may be new: A CSP is a response header or meta tag that allows you to declare a policy for your website declaring what sorts of content can be loaded...

Weekly Update 112

Wow, didn't the passwords discussions go nuts this week! Passwords suck and they must die, they're never going to die, people are using bad ones, people should be able to use bad ones, developers are at fault and my personal favourite in the "how on earth did you reach that conclusion" category, I should actually do something to educate people about passwords rather than blaming them for using bad ones. I've gotta stop laying around doing nothing with my days...But seriously, both posts on passwords this week garnered a heap of input from people agreeing with me, disagreeing with me and arguing with each other. For the most part, this was just fine but what I didn't mention in...

When Accounts are "Hacked" Due to Poor Passwords, Victims Must Share the Blame

It's just another day on the internet when the news is full of headlines about accounts being hacked. Yesterday was a perfect example of that with 2 separate noteworthy stories adorning my early morning Twitter feed. The first one was about HSBC disclosing a "security incident" which, upon closer inspection, boiled down to this:The security incident that HSBC described in its letter seems to fit the characteristics of brute-force password-guessing attempts, also known as a credentials stuffing attack. This is when hackers try usernames and password combos leaked in data breaches at other companies, hoping that some users might have reused usernames and passwords across services.The second story was about a number of verified Twitter accounts having been...

It's End of Life for ASafaWeb

A lot has changed in the Microsoft technology world in the last 7 years since I launched ASafaWeb in September 2011. Windows XP is no longer the dominant operating system (Win 7 actually caught up the month I launched ASafaWeb). Internet Explorer is no longer the dominant browser (Chrome was in 3rd place back then). Windows Server has gone from 2008 R2 to 2012 to 2012 R2 to 2016 to 2019. And lastly, .NET has gone through a heap of different versions (as has Visual Studio) from 4.x to Core 1 and now Core 2 (and minor versions within them).My own personal focus has also changed moving from corporate life to independence. From development and architecture to security....

Here's Why [Insert Thing Here] Is Not a Password Killer

These days, I get a lot of messages from people on security related things. Often it's related to data breaches or sloppy behaviour on behalf of some online service playing fast and loose with HTTPS or passwords or some other easily observable security posture. But on a fairly regular basis, I get an email from someone which effectively boils down to this:Hey, have you seen [insert thing here]? It's totally going to kill passwords!No, it's not and to save myself from repeating the same message over and over again, I want to articulate precisely why passwords have a lot of life left in them yet. But firstly, let me provide a high-level overview of the sort of product...

Weekly Update 111

On my first attempt at recording this, I decided the framing was crooked after a couple of minutes so I started again. On my second attempt, the PC BSOD'd after 42 mins and I thought I'd lost all the audio. I hadn't, so on the third attempt I completed the last of it. Then I waited nearly an hour for it to render before realising there was unedited material at the beginning so I had to re-render the whole thing again. This is on top of one of my screens refusing to go beyond 480p today and a week filled with various other frustrating tech support issues.But despite that, I persevered and got through much more content than I...

Weekly Update 110

I'm home! And home for another 6 weeks at that which is rather exciting if I'm honest. Travel really takes its toll in so many ways and I'm really looking forward to just having a bunch of time to code, blog and jet ski (not necessarily ordered by priority).But even without having had time to blog, there's a heap of material this week including the SIBOS conference, HIBP (apparently) being a top site that's "shaped the web", people losing their minds over sex toy privacy and EV certificates, Wife Lovers being breaches and some really interesting outcomes in people's effort to hold Apollo accountable under GDPR after their breach. On that last point, do listen to how this is...

Weekly Update 109

Last one before home time! But it has been an epic trip and as I say in the video, this is by far my most enjoyable trip to the US yet after probably a dozen over the last few years (that includes Hawaii, too). Given the interest after my pointing out a couple of little differences in the US compared to the rest of the world last week, after the usual tech and infosec intro this week I decided to focus a big whack of this week's video on what some of differences look like.Other than that, there's the usual things including new tech (the Apple Watch), data breaches (Facepunch and another especially nasty one), sextortion scams and fabricated...

Weekly Update 108

I'm in Texas! And I've had enough BBQ to last me a very long time. I'm here doing a couple of speaking events and other related things as well as taking some time out with my wife to see the sites. As such, it's a bit quieter this week but there's still a couple of things I reckon are worthy of discussion.Just before jumping on the plane over here I pushed out a blog post on how my approach to callbacks in HIBP broke Mozilla's service which in turn broke my Azure Function. This was one of those cases where sure, I didn't want anything to break, but it was a good learning experience that helped me make a...

Breaking Azure Functions with Too Many Connections

For the most part, Have I Been Pwned (HIBP) runs very smoothly, especially given how cheaply I run many parts of the service for. Occasionally though, I screw up and get something wrong that interrupts the otherwise slick operation and results in some outage. Last weekend was one such occasion and I want to explain what I got wrong, how you might get it wrong too and then, of course, how to fix it.But first, some background: A few months ago I announced that Mozilla and AgileBits were baking HIBP into Firefox and 1Password (I'll call them "subscribers" in this post). They're leveraging the anonymity model described there to ensure their users can search for their identities without me...