2018 Retrospective

I started doing these retrospectives 3 years ago in my first year of independence. I reckon they're a good thing for everyone to do if not in written form then at least mentally to look back on your achievements of the year. They're a great way of reflecting on success (and indeed, on failures) and they also help explain why we all feel so damn tired by the end of the year!

Here's my 2018 highlights, starting with travel:


"Oh yeah, I'm totally gonna travel less this year" - me every single year

In reality, my travel ended up looking like this:

That's the same number as last year, 4 more days and another 8,000km. On the other hand, it's 12 less cities and 1 less country and the main reason for that is I've been trying to cram less into trips. I've also been travelling with family far more so whilst those 140 days equate to 38% of my year, there were 14 days in Hawaii, 10 days at the Aussie snow, 11 days in Texas and 17 days in Canada where I wasn't flying solo. That's 52 days where it wasn't just a lonely slog so I'm pretty happy about that.

Flight wise, App in the Air captured things in a nice visual fashion:

That's up 15,000km, 17 hours and 3 flights from last year. So yes, travel went up but I also did a bunch of remote workshops which helped keep that down, as well sending Scott Helme to run in-person ones that contributed to keeping me on Aussie soil.


I actually got a bit of a surprise when I pulled the list of my most popular blog posts for 2018:

The surprise was that after the home page, the most popular page hit on my site was the one about Online Spambot, a post I published in August 2017. I guess it's maintained its traction due it being referenced in the HIBP description and there being a huge number of people finding themselves pwned. In fact, I'm sure that's why the next 3 blog posts are up there too because they're all from similar incidents (number 6 in that list was also from 2017).

If I'm honest though, my favourite post of the year was the one I published earlier this week on New Year's Eve - 10 Personal Finance Lessons for Technology Professionals. I love this post. I love the reaction it's had. I love that based on so much of the positive feedback I've had it might actually improve people's lives in away I don't think any previous post has before. Who knows, maybe this is something I'll even write more about in 2019 if there's an appetite.

The sponsorship model continued strongly too. It's been resoundingly well-received by both browsers to the site and the sponsors themselves and I've already booked 2019 out until August.


Geez, where to start... Probably with my 2018 events page which lists everything I did of a public nature. What it doesn't do is list all the private events which pretty dramatically increases that list. Of the ones I can talk about, they included:

Microsoft in Copenhagen:

MVP Summit in Seattle:

Ascend in Vegas:

CRN Pipeline in Melbourne:

CRN Pipeline in Sydney:

Loco Moco Sec in Hawaii:

Infosecurity EU in London:

SSW in Sydney:

Cyber Edge in Sydney:

SailPoint in Sydney:

API Days in Melbourne:

Fortinet in Sydney:

TECHpalooza on the Gold Coast:

Texas Cyber Summit in San Antonio:

Dev Fest Weekend in Dallas:

Sibos in Sydney:

There were a bunch of NDCs to do, starting with London in Jan:

Then Oslo for NDC security:

My home on the Gold Coast in May:

And then Oslo again in June (incidentally, seen here doing my new favourite talk "Everything is Cyber-Broken" with Scott):

And Sydney in September:

Spending time at the Australian Cyber Security Centre here in Aus was also a wonderful experience:

And just to top it off, a keynote appearance in Microsoft Connect (albeit recorded from Aus):

And, yeah, I think that's all it was! Actually, it could have been much busier, I declined 76 events:

I do actually keep track of all these and as it turns out, that's just 1 more event than I declined in 2017. I'm surprised about how closely these 2 years have tracked to each other in so many ways.


2018 was a great year for HTTPS. Looking at Scott's 2018 Alexa Top 1M analysis from August (his most recent 6-monthly publication), 52% of the world's top 1M sites are now served over HTTPS by default. On the one hand, we're only just past the half way point but on the other hand, it was only 31% a year earlier.

Because public shaming of poor security drives positive changes (a popular 2018 blog post that will get a lot of mileage for years to come), we made Why No HTTPS to call out the largest offenders both globally and per country:

The positive stories are the ones you don't see here; the ones that are no longer on the list. Site like the ABC in Australia, the Daily Mail in the UK and Roblox in the US. They're the largest sites in their respective countries to drop off the list and there have been many, many more in the same boat. I've actually had developers from many organisations reach out requesting that the list be refreshed just so their site drops off. Shaming works in powerful ways ?

HTTPS is Easy

I didn't want to just shame organisations doing the wrong thing, I also wanted to help everyone get better at HTTPS. After all, HTTPS is easy, so I built HTTPS Is Easy:

This became a great 4-part reference series with 5-minute videos which live up to the title. I'm enormously happy with how it was received, and frankly a bit overwhelmed that the community stepped up and translated it into 19 different languages including: Czech, Danish, Dutch, English, Estonian, Finnish, French, German, Greek, Indonesian, Italian, Norwegian, Persian, Polish, Portuguese, Russian, Slovenian, Spanish and Swedish. That's pretty awesome!

Have I Been Pwned

Geez, were to start on this one... In point form:

  1. Added 76 new data breaches
  2. Which encompassed 829,391,906 additional records
  3. Signed up 445,720 new subscribers
  4. Sent 1,224,377 breach notification emails to them
  5. And sent another 239,277 notifications to those monitoring domains
  6. Got the UK government on-boarded to monitor all gov domains
  7. Got the Aus government on too
  8. And the Spanish government
  9. Had the Estonian Police Force use it to notify their citizens
  10. Partnered with 1Password
  11. Integrated into both Firefox and 1Password
  12. Made stickers!

And probably 100 other things that should be in a retrospective but just flew by in a blur! But there was another aspect of HIBP which really took off in 2018 and it deserves its own heading:

Pwned Passwords

When I launched version 2 in Feb, this service really started to get traction. The k-anonymity model courtesy of Cloudflare was the real killer feature and a special mention goes to Junade Ali on that:

If you don't know the back-story on those lava lamps, this is a fun vid that's only a few minutes long:

Back to Pwned Passwords, the premise of checking to see if a password has been previously breached before allowing someone to use it has gained a lot of traction. I've seen dozens of use cases first hand (and there's probably hundreds I'll never know about), with EVE Online being the first big one:

Okta built an absolutely awesome browser extension:

And GitHub downloaded the hashes (freely available to everyone) and rolled it into a platform most of you reading this will be very familiar with:

Of those who do consume the k-anonymity API, I'm usually serving up somewhere between 4 and 6 million requests a day:

There were a couple of cache flushes in there but just to give you a sense of how well optimised the service is to serve content directly from Cloudflare's edge nodes and not hit the origin server, here's the last week:

That's a 99% cache hit ratio ?

Report URI

Scott wrote a year in review piece this week so I'll defer to his overview for that but in short: heaps of new reporting types, a wizard that makes creating CSPs way easier, the launch of Report URI JS, heaps of both free subscriber and commercial customer growth and we're also pushing a few reports through these days too:

But the highlight - without a doubt in my mind - is covered in this next section:


What. A. Year! In fact, what a couple of weeks and it all began with AusCERT's Award for Information Security Excellence, presented in my home town:

Then a week later I was in London and scoring the Grand Prix Prize for the Best Overall Security Blog alongside Scott Helme who also picked up a gong:

And then, a mere few more hours on at a different event:

It was, by any reasonable measure, a surreal experience. I can't imagine topping that again.

But as well as those ones there was my 8th Microsoft MVP award and my Regional Director status was also renewed. These have both been marvellous programs to be a part of over the years and I'm proud to have that ongoing association with Microsoft.

What's Next

I'm 2 weeks to the day out from heading back to Europe so the whole show starts again very soon. In many ways, 2019 will be more of the same but in other ways, there's a bunch of new things on the horizon. I've already committed to events in 3 new places I've never been before in the first half of the year so that'll be cool.

Beyond that, I honestly don't know. I have a view about 6 months out around travel commitments but the nature of this industry and indeed the role I play today is that I have absolutely no idea what will pop up overnight, let alone further along into 2019. But that's ok, it keeps things entertaining ?

Annual Retrospective
Tweet Post Update Email RSS

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals