Do Something Awesome with Have I Been Pwned and Win a Lenovo ThinkPad!

Current status: The competition has run and been won! Scroll down to the bottom for the result.

Friends who follow what I'm up to these days will see that I'm often away from home in far-flung parts of the world. What that means is a lot of time on planes, a lot of time in airports (which is where I'm writing this now) and a lot of time in hotel rooms. Want to know how I churn out so much content? It's using that otherwise wasted down time to do useful things. But to do that, I need to be productive whilst mobile and I owe a lot of that to the machine I use when travelling.

Now, to make sure this doesn't sounds like an incentivised Lenovo pitch, firstly, refer back to my stance on what I'll endorse and my history with buying Lenovos and secondly, there's nothing in this one for me, it's someone else who's going to get something cool! But seriously, a huge part of how I get so much stuff done is that I can be super productive using the ThinkPad I travel everywhere with and that's due to a combination of the keyboard (one of its most highly-regarded features), reliability (I'm yet to have one die on me) and frankly, brutally functional design. These are not aesthetically pleasing machines - let's be honest about that - but man they've got substance over beauty in spades. (Fun fact - I'm just returning home from a conference where the AV guy had to warn the speaker after me that Macs sometimes slip off the lectern due to the curved bezel on the base not holding it in place.)

But best of all, Lenovo is giving me one to give you! Well, one of you anyway and it's a pretty slick unit being the ThinkPad 25 Year Anniversary Edition. This machine is packing a Core i7, 16GB of RAM, a half TB of SSD, an Nvidia GeForce 940MX GPU, USB Type C (Thunderbolt 3), 3 classic USB 3.0 ports (three!), SD card reader, HDMI port, ethernet jack, infrared face recognition camera and fingerprint reader. This is no half-hearted attempt at a laptop, it's the full beans:

Lenovo ThinkPad 25 Anniversary Edition

So yeah, Lenovo said I can give one away, I just needed to work out how I wanted to do it. I wanted to give it to someone who actually did something (no randomisation) and I wanted them to do something for the betterment of online security. It also had to be something that other people could use to achieve that objective which brings me to the Have I Been Pwned (HIBP) API.

I launched the HIBP API right after launching the service itself, almost 4 years ago now. Since then, many people have done many wonderful things with it (some of which are linked to on the API consumers page) which further the objective of helping victims of data breaches learn of their exposure. I want to use this opportunity to motivate people to do more with that API.

Here's the rules of the competition:

  1. Whatever you build must be made publicly available and without cost. Code on GitHub, free app in an app store, openly available website etc.
  2. The scope covers both the API to search for breached accounts and the Pwned Passwords either by API or querying the downloadable password hashes.
  3. You should leave a comment below explaining what you've built and linking to where it can be found.
  4. It must be working software that people can actually use!
  5. The deadline is 2 weeks from today which puts it at 7 November. Cut-off time is midday for me Gold Coast time.
  6. I will take the 4 best uses of the API and put out a Twitter poll that will run for 24 hours. The winner of that gets the ThinkPad.
  7. If the poll draws, I'll run it again with the front-runners from the poll.

Lenovo will ship this machine to you anywhere in the world so you're eligible regardless of your geography. If you've already created something using the API, awesome, you've got a head start, but I still need a comment here submitting it to the competition. If you're looking for inspiration, let me share a few ideas:

  1. Find a way to reach more people who may not already know they've been pwned.
  2. Find a way to visualise the data in a way that helps people understand their exposure.
  3. Find a way for organisations to make better use of either the breached account API or Pwned Passwords.
  4. Find a way to integrate into other tooling such that the data is more accessible.

Do also read the API docs page carefully; there's info on the rate limit, what I consider abuse and what the acceptable use is. Anything that doesn't adhere to this isn't in the running!

So that's it - go and build awesome things - then whoever can build the most awesomest gets an awesome machine to build even more awesome things!

The Top 4

Alrighty, it's time! Here's the 4 top entries based on my own very scientific approach of "what do I think is awesome". I wanted a mix of technologies, platforms and use cases which I reckon these top 4 achieve. In no particular order, here they are:

  1. Félix Giffard's This augments Pwned Passwords with a strength indicator. Normally, strength indicators worry me but by reconciling it against previously breached passwords he's also managed to address concerns around mathematically strong yet socially weak passwords. It's all open source and easily reproduced within another app or with a standalone version of Pwned Passwords so you're not sending off queries to another service with real customer passwords.
  2. Ben Cooper's Slack bot: Ben (and Evan) have tied together a number of features here making it possible to check all emails in a Slack organisation and DM them when they're found in a breach. It's very nicely packaged up and easily deployed to Heroku too so kudos for making it so easily consumable.
  3. Alberto De Marco Gmail Checker: Alberto's implementation scans your Gmail account (and he's since added support for and Office 365 too), pulls out the addresses you've communicated with and checks their exposure on HIBP. I love this from the perspective of the awareness it creates (do read his comments on this at the bottom of the Github repo), this is a great opportunity to help educate other people on the prevalence and impact of data breaches.
  4. Stephen Harrison's Pawn Shy: This is the one I least saw coming - a 3D printed electronic implementation of the game Coconut Shy. There's been a huge amount of effort put into this and it'd make a really neat feature at a conference that lets people have some fun whilst also learning about their exposure in data breaches. Make sure you watch the videos!

There were many, many good submissions to this competition and on several occasions I had to go back and remove one from the list above and add another as the bar kept raising the deeper I dug into the comments. But ultimately, I had to boil it down to 4 projects and I've now put the creators' names into a Twitter poll which will run for 24 hours and whoever gets the most votes will take home the prize! Here's the poll:

Just as a side note, I'll add a few comments that are relevant across several of these projects: Think carefully about the privacy aspects of searching for other people's addresses. I've written before about the ethics of running a publicly searchable service and there are overwhelming positive upsides to this approach, but do think through how other people might perceive you searching for their address. All the projects above allow people to use the service ethically and responsibly to the net benefit of the online community so kudos to them all for obviously keeping this front of mind.

The Winner

Big congrats to Félix Giffard and his service. Félix grabbed 39% of the votes making him the clear winner ans scoring himself the ThinkPad. He was a worthy winner based on the merit of his project alone, but this kinda makes it all the more awesome:

I hope this machine helps Félix go and do even more awesome things!

Lenovo Have I Been Pwned
Tweet Post Update Email RSS

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals