In the beginning, things were simple: you had two strings (a username and a password) and if someone knew both of them, they could log in. Easy. But the ecosystem in which they were used was simple too, for example in MIT's Time-Sharing Computer, considered to be the first computer system to use passwords: We're talking back in the 60's here so a fair bit has happened since then. Up until the last couple of decades, we had a small number of accounts and very limited connectivity which made for a pretty simple threat landscape. Your "adversaries" were those in the immediate vicinity, that is people who could gain direct physical access to the system. Over time that...

This was one of those weeks where time disappeared on totally unplanned things, namely due to the debate that raged on over days about certs (get popcorn then read upwards and downwards from there). I stayed well and truly clear of that once it got heated, but I then spent the better part of two days researching, thinking and writing the a near-6000 word piece on this (don't worry, there are lots of pictures too). I find this a genuinely interesting issue and egos aside, there are certainly some bigger picture, longer term issues we need to address. I talk about that and much more in this week's update. iTunes podcast | Google Play Music podcast | RSS podcast References Here's the...

Last week I wrote about how Life Is About to Get a Whole Lot Harder for Websites Without HTTPS. Somewhere in the comments there, the discussion went off on a tangent about commercial CAs, the threat Let's Encrypt poses to them and subsequently, the value (or lack thereof) posed by extended validation (EV) certificates. That discussion boiled over onto Twitter with many vocal opinions from different camps. This post attempts to lay the arguments out in a more cohesive fashion than Twitter permits. But firstly, let's get back to the original blog post which I made due to the fact that come October, Chrome 62 will begin doing this: There are two important things happening here: Any page including a...

I'm home! After that crazy travel schedule (6 weeks and 1 day in all, thank you very much) I'm back in my own bed with some peace and quiet and... jet lag. It's always worse coming home from Europe, a combination of flying east (I travel over two short nights) and frankly, just being worn out at the end of a long journey. Regardless I had a pretty massive week on the blog and consequently, this is my longest every weekly update at almost 40 minutes. This week, I somehow came across a lot of "crazies". Windows Update crazies, Indian cricket crazies, HTTPS crazies and Cloudflare crazies. Now I'm not trying to be disingenuous here, but when some...

In case you haven't noticed, we're on a rapid march towards a "secure by default" web when it comes to protecting traffic. For example, back in Feb this year, 20% of the Alexa Top 1 Million sites were forcing the secure scheme: These figures are from Scott Helme's biannual report and we're looking at a 5-month-old number here. I had a quiet chat with him while writing this piece and apparently that number is now at 28% of the Top 1 Million. Even more impressive is the rate at which it's changing - the chart above shows that it's up 45% in only 6 months! Perhaps even more impressive again is the near 60% of web requests Mozilla...

Last week, The AA in the UK came spectacularly undone when attempting to cover up a data breach. I wrote about them while describing The 5 Stages of Data Breach Grief but in short, they consciously elected not to notify subscribers after being alerted to the disclosure of 13GB worth of publicly accessible database backups back in April: A follower just advised they recently notified @TheAA_UK about 13GB of exposed DB backups. It's not clear if they ever notified customers. pic.twitter.com/gOGYJSfVep— Troy Hunt (@troyhunt) June 26, 2017 They then sought to play down the severity of the exposure by claiming that no credit card data was compromised: Which was completely and utterly false:...

Well this trip is certainly ending with a bang: 3 blog posts this week (not including this one) plus two massive user group talks in the Netherlands and two workshops of two days each. But that's it - I'm done! It's Friday morning here in Nieuwegein at the time of writing and I'll be on the plane home by the end of the day. As for the blogging, I'm back again as a Microsoft MVP for the 7th year in a row, I'm debating the usefulness of password strength indicators and I'm lambasting The AA in the UK. And oh boy, if anyone needs a lambasting it's these guys. Have a listen to Graham Cluley taking them to task in...

When you see something play out enough times, you start to notice patterns. I was reflecting on this today as I watched The AA rapidly digging themselves in deeper and deeper after publishing 13GB worth of customer data to the internet, including partial credit card data. Which they denied: The AA Shop data issue is now fixed, No Credit Card info was compromised & an independent investigation is under way. We're sorry.— The AA (@TheAA_UK) July 3, 2017 Problems is, this statement is entirely false as Graham Cluley subsequently pointed out: Yes - despite what it says - AA customer credit card data was exposed https://t.co/JJGwjj1DDN pic.twitter.com/R8mMOTzUbS— Graham Cluley...

I watched a discussion unfold on Twitter recently which started like so many of the security related ones I see: When website errors make no sense! @Argos_Online my password is more complex than your system can handle. What gives? @troyhunt #insecurity pic.twitter.com/64VA7qINGP— Jon Carlos (@billywizz) June 10, 2017 This was a very misleading error message on Argos' part and as it turns out, what it really mean was that they only allowed up to 20 characters in passwords. It's the classic arbitrary limit story; for various reasons which may include legacy dependencies, ignorance or very often, a database column of limited length (which then implies no password hashing and quite likely plain text storage), Argos...

Just over 6 years ago, I received my first Microsoft MVP award. It was unexpected, in part because I'd only started doing anything community facing 18 months earlier. But it rated - people were finding what I was doing genuinely useful and that award was an absolutely pivotal moment which helped define what I do today. This weekend, I got the (still) eagerly awaited email for the seventh time: Giddy up! 7 years running 😎 pic.twitter.com/okTP6GTk5n— Troy Hunt (@troyhunt) July 1, 2017 All these years later, I can tie a huge amount of what I'm doing today back to that original award. It gave me the confidence to expand my writing and speaking, the credibility to access...