I love so many of the underlying principles of GDPR as it relates to protecting our personal data. I love the idea of us providing it for a specific purpose and it not being used beyond that. I love that it seeks to give us more control over access to (and erasure of) our data. I also love that the regulation has the potential to seriously bite organisations that don't protect it. You'd be hard pressed to find anyone who disagrees with any of that. However, there are many things I dislike about the narrative around GDPR. I dislike the confusion around so many aspects of the regs. I dislike the barrage of emails I got as we approached (and...

Not only has this been a super busy blogging week, it's also the week my coffee machine decided to die 😢 It's not terminal, it's just continually leaking so it's off for a service and I have to fuel my productivity through other means. But fuel it I did and I spent a big whack of the week doing things I hope to talk about next week (namely some major architectural changes to HIBP services), as well as preparing both the Pemiblanc credential stuffing list for HIBP and then pushing out Pwned Passwords V3. But if I'm honest, it's the post and associated video on HTTPS and static websites I enjoyed the most and based on the number of likes in...

It was Jan last year that I suggested HTTPS adoption had passed the "tipping point", that is, it had passed the moment of critical mass and as I said at the time, "will very shortly become the norm". Since that time, the percentage of web pages loaded over a secure connection has rocketed from 52% to 71% whilst the proportion of the world's top 1 million websites redirecting people to HTTPS has gone from 20% to about half (projected). The rapid adoption has been driven by a combination of ever more visible browser warnings (it was Chrome and Firefox's changes which prompted the aforementioned tipping point post), more easily accessible certificates via both Let's Encrypt and...

Over recent weeks, I've begun planning the release of the 3rd version of Pwned Passwords. If you cast your mind back, version 1 came along in August last year and contained 320M passwords. I made all the data downloadable as SHA-1 hashes (for reasons explained in that post) and stood up a basic API to enable anyone to query it by plain text password or hash. Then in Feb, version 2 landed and brought the password count up to just over half a billion whilst also adding a count to each password indicating how many times it had been seen. Far more significantly though, it introduced the k-anonymity search model that Cloudflare worked on and that's when things really took...

One of the most alarming trends I've seen in the world of data breaches since starting Have I Been Pwned (HIBP) back in 2013 is the rapid rise of credential stuffing attacks. Per the definition in that link, it simply means this: Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts. This form of attack relies on a combination of people reusing the same password across services and then the services themselves allowing automated attacks like this to happen. The first part of that is a simple fix we all have control of as individuals but is extremely hard to address as service operators: people need to stop reusing...

It's a week of tweets! I only wrote the one short blog post this week, but I spent a heap of time on the Twitters arguing with people instead so... that's something? But seriously, there was a huge amount of discussion around HTTPS in particular and some very vocal opinions around its usefulness (or lack thereof), which frankly, had myself and many others tearing their hair out. I'll prepare some great demos over the next few days to illustrate the problems which just seem to be going over the heads of many people. It'll be a fun blog post 😃 For now though, here's this week's update which talks through many of the issues covered in those tweets not just as...

Back in 2011, Microsoft gave me the rather awesome (IMHO) Most Valuable Professional Award for the first time. This is Microsoft's award for community leadership within a technology discipline which for me at the time, was developer security. I'm confident that award came largely due to the work I did on the OWASP Top 10 for .NET Developers series, a 10-part epic blog series that set me on the path to where I am today. Speaking of today, I awoke (exceptionally early!) to another very welcome email from Microsoft: I woke up at 1am unable to sleep with all these coding ideas for @haveibeenpwned in my head. Eventually just decided to get up at 3:30 and start work on...

Geez it's nice to be home! I took a ride on the jet ski today which was just one of those typically perfect Gold Coast winters days at a balmy 24C. I cruised around the ocean with a pod of dolphins (probably a dozen of them), grabbed some prawns for lunch (not those "shrimp" you get other places, proper big prawns), then sat down here and enjoyed the serenity: I’ve really gotta stay home more ☀️ 😎 pic.twitter.com/soi3J7ygox— Troy Hunt (@troyhunt) June 29, 2018 But I did get a heap of stuff done earlier this week I was really happy with, the biggy being the announcements around Firefox and 1Password integrating with HIBP. I talk...

HTTPS is easy! In fact, it's so easy I decided to create 4 short videos around 5 minutes each to show people how to enable HTTPS on their site and get all traffic redirecting securely, optimise their HTTPS configuration to get it rating higher than most banks, fix any insecure references in a few clicks and finally, secure all the traffic all the way back to their website. I built a little demo site and embedded all the videos in it over at HTTPSIsEasy.com. Let me begin by being clear about the demographic this is pitched at: I wanted to create a resource that had the broadest possible appeal regardless of technical competency. If someone has entry-level web dev...

Pretty much every day, I get a reminder from someone about how little people know about their exposure in data breaches. Often, it's after someone has searched Have I Been Pwned (HIBP) and found themselves pwned somewhere or other. Frequently, it's some long-forgotten site they haven't even thought about in years and also frequently, the first people know of these incidents is via HIBP: large @ticketfly data breach. thanks @troyhunt for the excellent @haveibeenpwned service that notifies users of #privacy disasters like this :) https://t.co/xgklY59sOU pic.twitter.com/jlqnKXteDG— Yale Privacy Lab (@YalePrivacyLab) June 4, 2018 Well, that's annoying: @TicketFly data breach attacker publicly posted my info (along w 26MM others). I at least know...