Understanding Have I Been Pwned's Use of SHA-1 and k-Anonymity

Four and a half years ago now, I rolled out version 2 of HIBP's Pwned Passwords that implemented a really cool k-anonymity model courtesy of the brains at Cloudflare. Later in 2018, I did the same thing with the email address search feature used by Mozilla, 1Password and a handful of other paying subscribers. It works beautifully; it's ridiculously fast, efficient and above all, anonymous. Yet from time to time, I get messages along the lines of this: Why are you using SHA-1? It's insecure and deprecated.Or alternatively: Our [insert title of person who fills out paperwork but has no technical understanding here] says that k-anonymity involves sending you PII.Both these positions make no sense whatsoever when you...

Weekly Update 301

First up, I'm really sorry about the audio quality on this one. It's the exact same setup I used last week (and carefully tested first) but it's obviously just super sensitive to the wind. If you look at the trees in the background you can see they're barely moving, but inevitably that was enough to really mess with the audio quality. I do actually have a windsock for the mic, but it's in a drawer at home so for the remainder of this trip it'll be indoor recording only. Speaking of which, because there was a lot of enthusiasm for Charlotte and I to do one together on the cultural differences we've both experienced living in different parts of the...

Weekly Update 300

Well, we're about 2,000km down on this trip and are finally in Melbourne, which was kinda the point of the drive in the first place (things just escalated after that). The whole journey is going into a long tweet thread you can find below (or mute - that's partly why it's in a single thread): It’s time for the next great road trip 🏎 pic.twitter.com/9B9k9cXQvH — Troy Hunt (@troyhunt) June 14, 2022 Next week is NDC Melbourne so please get along to the event if you're in town, it's kinda amazing to think I'll finally be back at an NDC after all this time 😊 ReferencesWe're on another epic road trip (that's the tweet thread, I'll keep...

Weekly Update 299

How on earth does an enterprise rack-mounted NAS not come with rails to actually install it in the rack?! So yeah, that's what's in the box, something that should have been in the original box and not in a separate purchase. Just to add to the Synology packaging insanity, I went to install a couple of spare NVMe drives in it today and... there were no screws in the NVMe slots 🤦‍ I'll be doing the next four weekly updates from various locations around the country as we hit the road again, stay tuned for epic tweet threads of amazing locations 😎 ReferencesThe MyElectronics.nl Raspberry Pi racks are really sweet (the rack is looking pretty slick now!)Apple Watch fall detection...

Welcoming the Indonesian Government to Have I Been Pwned

Four years ago now, I started making domains belonging to various governments around the world freely searchable via a set of APIs in Have I Been Pwned. Today, I'm very happy to welcome the 33rd government, Indonesia! As of now, the Indonesian National CERT managed under the National Cyber and Crypto Agency has full access to this service to help protect government departments within the country. Indonesia's inclusion marks the first Asian nation to take up this service and look forward to many more from across the globe following in future....

Weekly Update 298

I somehow ended up blasting through an hour and a quarter in this week's video with loads of discussion on the CTARS / NDIS data breach then a real time "let's see what the fuss is about" with news that one of our state's digital driver's licenses (DDL) may be easily forgeable. I think the whole discussion is actually really interesting when looked at through the lens of how on balance, a digitised license compares to a physical one. As you'll see, I think the reporting on this is overblown however... the weak encryption keys do seem like an oversight and the response of Service NSW to criticism has been lacklustre at best. Let's see how it goes in other states,...

Weekly Update 297

So I basically spent my whole day yesterday playing with Ubiquiti gear and live-tweeting the experience 😊 This was an unapologetically geeky pleasure and it pretty much dominates this week's video but hey, it's a fun topic. Still, there's a bunch of data breach stuff up front and as I write this, 25M more records courtesy of the MGM breach are making their way up into HIBP. Get ready for a bunch of notification emails going out on that one. Here's this week's video: ReferencesFinally worked out how to handle the MGM breach (it's loading now as a new breach to ensure HIBP subscribers are appropriately notified)The Ubiquiti G4 PTZ is a mighty looking camera! (it'll take a professional to...

Weekly Update 296

Data breaches, 3D printing and passwords - just the usual variety of things this week. More specifically, that really cool Pwned Passwords downloader that I know a bunch of people have been waiting on, and now we've finally released. It hits the existing k-anonymity API over 1 million times and that API is already going on 2 billion requests a month so I'm kinda curious to see what happens if everyone starts running the downloader at the same time... 🤔 ReferencesThis is a much better guide to what causes a 3D printer hot end to leak out the top of the heat block (the image there makes easy to understand)Since I broke the heater cartridge anyway, a Revo 6 should...

Downloading Pwned Passwords Hashes with the HIBP Downloader

Just before Christmas, the promise to launch a fully open source Pwned Passwords fed with a firehose of fresh data from the FBI and NCA finally came true. We pushed out the code, published the blog post, dusted ourselves off and that was that. Kind of - there was just one thing remaining... The k-anonymity API is lovely and that's not just me saying that, that's people voting with their feet: That's already 58% by volume from my December blog post, only 5 months ago to the day. It's also just a rounding error off a 100% cache hit ratio too 😎 But the bit that remained was the promise I made in that last blog post: Lastly, as of right...

Weekly Update 295

A short one this week as the previous 7 days disappeared with AusCERT and other commitments. Geez it was nice to not only be back at an event, but out there socialising and attending all the related things that tend to go along with it. I'll leave you with this tweet which was a bit of a highlight for me, having Ari alongside me at the event and watching his enthusiasm being part of the industry I love 😊 At #AusCERT with Ari for “take your son to work” day 🙂 I’m up next on stream 2 at 14:45 talking about Pwned Passwords, the FBI, the NCA and giving the whole thing over to the community, come say hi! https:...