Sponsored by:

Troy Hunt

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals

Weekly update 48 (windy Sydney edition)

I've been in Sydney all week for the NDC conference here so it's been a pretty non-stop time. A 2 day workshop, 2 new Pluralsight courses, 2 talks and all the usual social things that go along with these. But regardless, I got that Ubiquiti UniFi course out and a blog post to go along with it. I'm keeping things brief here now as I prepare for (the always epicly fun) Pubcon, more next week from snowy Australia. Yes - snow! iTunes podcast | Google Play Music podcast | RSS podcast References Everything you need to know about Ubiquiti UniFi to get started (this is such awesome gear and I love hearing about how happy people are with it) Terbium is sponsoring...

Free Course: Here's What This Ubiquiti UniFi Stuff Is All About

Last year, I got fed up with my wifi. The coverage was patchy, the devices were unstable (my speed would regularly drop to less than 2Mbps until I restarted the router) and even though it was new gear, it felt just like the gear I'd had a decade ago. Same basic principle of an all-in-one device, same basic web interface and almost certainly, the same update cycle - I wasn't going to be seeing firmware updates or new management features any time soon, if at all. All of this wasn't just frustrating, it was costing me money as productivity went out the window. So I fixed it. In the post linked to above, I talk through how I built out...

Weekly update 47

Last update before travelling again, but fortunately it's just a cruisy 9-hour drive down to Sydney for NDC then a week of snowboarding (yeah Australia has snow). I'll be doing a workshop at NDC and I'll also be doing one in Melbourne next month so check that out if you're around that way. This week, an SEO bloke wearing pyjamas talked about how HTTPS was unnecessary, attempted to silence any naysayers and then eventually recanted and deleted his original views. It's odd, because they were the same views as the psychic SEO lady who'd been reincarnated 17 times... That weirdness and more in this week's update! iTunes podcast | Google Play Music podcast | RSS podcast References AD pwned passwords I've got...

Don't Take Security Advice from SEO Experts or Psychics

As best I understand it, one of the most effective SEO things you can do is to repeat all the important words on your site down the bottom of the page. To save it from looking weird, you make the text the same colour as the background so people can't actually see it, but the search engines pick it up. Job done, profit! I think this is the way we did it in 1999. I don't know, I can't recall exactly, but I know I don't know and I'll happily admit to being consciously incompetent in the ways of SEO. But that's cool, I know the things I understand well and those I don't and when I get the latter...

Weekly update 46

This has been an insane week, not least because of spending the day yesterday installing a Ubiquiti network as part of my upcoming course. A heap of fun, but one little glitch threw my day out. Another glitch with my Pwned Passwords service threw my day today out so I'm going to sign off here, leave you with the vid and go grab a well-deserved 🍺 iTunes podcast | Google Play Music podcast | RSS podcast References I've been kinda in love with Ubiquiti gear since November (the course should be out this month, I'm rather happy with it so far 😀) Responsible disclosure remains a hard thing to do... responsibly (Kids Pass decided to block me on Twitter rather than allow me to...

Introducing 306 Million Freely Downloadable Pwned Passwords

Edit: The following day, I loaded another set of passwords which has brought this up to 320M. More on why later on. Last week I wrote about Passwords Evolved: Authentication Guidance for the Modern Era with the aim of helping those building services which require authentication to move into the modern era of how we think about protecting accounts. In that post, I talked about NIST's Digital Identity Guidelines which were recently released. Of particular interest to me was the section advising organisations to block subscribers from using passwords that have previously appeared in a data breach. Here's the full excerpt from the authentication & lifecycle management doc (CSP is "Credential Service Provider"): NIST isn't mincing words here,...

Pastes on Have I Been Pwned Are No Longer Publicly Listed

Over the weekend, a Have I Been Pwned (HIBP) subscriber contacted me after they found their Spotify credentials online. It turns out that this particular woman went searching for her specific password after finding "some guy listening to Mexican music from a foreign device on my acct". In the search results, she found a site hosted on Google's Blogger service with troves and troves of Spotify credentials, among others. Now I've seen a lot of lists of "hacked Spotify accounts" in the past and to date, they've always been collated as a result of credential stuffing as opposed to Spotify themselves having been breached. She pointed me to the site with the (obfuscated) content you see...

Kids Pass Just Reminded Us How Hard Responsible Disclosure Is

Only a couple of months ago, I did a talk titled "The Responsibility of Disclosure: Playing Nice and Staying Out of Prison". The basic premise was to illustrate where folks finding security vulnerabilities often go wrong in their handling of the reporting, but I also wanted to show how organisations frequently make it very difficult to responsibly disclose the issue in the first place. Just for context, I suggest watching a few minutes of the talk from the point at which I've set the video below to start: Time and time again, I run into incidents where good people hit brick walls when trying to do the right thing. For example, just this weekend I had a Twitter...

Weekly update 45

This week I've had my head down working on a new course for Ubiquiti, the guys who make the very fine wifi things I now have in my house and since writing about them, many others do too. I'll be sharing more about that in the coming weeks but whilst I had the parts handy, I thought I'd show folks what would be going into the build I'll do next week. The other major thing this week was the blog post about modernising our approach to passwords. I honestly didn't expect this to be so well received and it looks like it's been read over 100k times in the last 48 hours! I suspect people are just sick of inane...

Passwords Evolved: Authentication Guidance for the Modern Era

In the beginning, things were simple: you had two strings (a username and a password) and if someone knew both of them, they could log in. Easy. But the ecosystem in which they were used was simple too, for example in MIT's Time-Sharing Computer, considered to be the first computer system to use passwords: We're talking back in the 60's here so a fair bit has happened since then. Up until the last couple of decades, we had a small number of accounts and very limited connectivity which made for a pretty simple threat landscape. Your "adversaries" were those in the immediate vicinity, that is people who could gain direct physical access to the system. Over time that...