Sponsored by:

Weekly Update 80

It's a MASSIVE weekly update! The big news for me this week is the 1Password partnership and I've really tried to share more about how I came to the decision to work with them in this video. I've been so cautious with the way I've managed the image of HIBP to ensure it's always positioned in the right light and I wanted to delve more into that thinking here. As I say in the video, I'm really happy with the feedback so far and I've "liked" a bunch of the responses so check out my Twitter profile to see what people are saying about the partnership. But that was just one of the big things this week, there's...

Have I Been Pwned is Now Partnering With 1Password

The penny first dropped for me just over 7 years ago to the day: The only secure password is the one you can't remember. In an era well before the birth of Have I Been Pwned (HIBP), I was doing a bunch of password analysis on data breaches and wouldn't you know it - people are terrible at creating passwords! Of course, we all know that but it's interesting to look back on that post all these years later and realise that unfortunately, nothing has really changed. The strength of most passwords is terrible. Then they get reused. Everywhere. That post was my own personal wakeup call; it was the very point where I observed that what we all needed...

Aussie Telcos are Failing at Some Fundamental Security Basics

Recently, I've witnessed a couple of incidents which have caused me to question some pretty fundamental security basics with our local Aussie telcos, specifically Telstra and Optus. It began with a visit to the local Telstra store earlier this month to upgrade a couple of phone plans which resulted in me sitting alone by this screen whilst the Telstra staffer disappeared into the back room for a few minutes: Is it normal for @Telstra to display customer passwords on publicly facing terminals in their stores? (You know, the same password people give their bank.) This is the user-selected password used for identity verification with store customers wandering past it. pic.twitter.com/KiaGNKhaig— Troy Hunt (@troyhunt) March 1, 2018...

A Scammer Tried to Scare Me into Buying Their Security Services - Here's How It Went Down

Here's the tl;dr - someone named "Md. Shofiur R" found troyhunt.com on a "free online malware scanner" and tried to scare me into believing my site had security vulnerabilities then shake me down for a penetration test. It didn't work out so well for him, here's the blow-by-blow account of things then I'll add some more thoughts afterwards: Should I respond? 😂 pic.twitter.com/lifCZRcICF— Troy Hunt (@troyhunt) March 20, 2018 I couldn’t help myself pic.twitter.com/zvx3myyItn— Troy Hunt (@troyhunt) March 20, 2018 Ooh, he’s good! Suggestions? This feels like it’ll be more fun crowd-sourced 😎 pic.twitter.com/i2EFDFgLem— Troy Hunt (@troyhunt) March 20, 2018 Your...

Weekly Update 79

Home again which means more time to blog and per the intro to this week's update, time to catch up on how HIBP is tracking. Here's the 2 tweets with some stats I mention at the start of this week's update: It's been almost a month since I launched Pwned Passwords V2. In that time, @cloudflare has served 156TB from their cache thus keeping the traffic off my origin. Thanks guys, this would have been a hard discussion to have with the wife otherwise! pic.twitter.com/KUX0kXwjCo— Troy Hunt (@troyhunt) March 21, 2018 Also, just got the bill for the @AzureFunctions which drive the Pwned Passwords API. Because 80%+ of requests are served from @Cloudflare'...

The Legitimisation of Have I Been Pwned

There's no way to sugar-coat this: Have I Been Pwned (HIBP) only exists due to a whole bunch of highly illegal activity that has harmed many individuals and organisations alike. That harm extends all the way from those in data breaches feeling a sense of personal violation (that's certainly how I feel when I see my personal information exposed), all the way through to people literally killing themselves (there are many documented examples of this in the wake of the Ashley Madison breach). Plus, of course, there's the ginormous financial impact; TalkTalk claims their 2015 hack cost them £42M and I've heard first-hand from those inside other companies that have suffered data breaches about just how costly they've been ("...

Weekly Update 78 (San Fran Edition)

Last day of travel! The weekly update is out late due to a packed week which I endured whilst battling a cold as well which has made it pretty rough. But other than that, it was a fantastic week recording Pluralsight courses and meeting with some really cool tech companies which I talk about in the update. I also talk a lot about credential stuffing which is just becoming an absolutely massive issue at present and I'll write more on that from home next week. I'll leave you with some pics of just some of the things I got up to in San Fran this week, I met some really great people doing amazing things: Productive day in the studio...

Weekly Update 77 (Seattle Edition)

I'm in Seattle! This has been a mega week at the Microsoft MVP and Regional Director summits and as I say in the video, I'm actually a little run down now that it's all done. But I've had a wonderful week of meeting a heap of people and seeing some very cool stuff from Microsoft, especially around Azure which remains one of my favourite tech things. In this week's update, I'm talking about how I've made some further strong gains with Pwned Passwords which is being adopted at a pretty fierce rate. I also give an insight into what happens at this big Microsoft event each year and I hope that's something people find interesting. I'm off the Vegas tomorrow...

Weekly Update 76

Massive, massive week! I'm not trying to make these videos longer (and the next two while I'm overseas will definitely be shorter), but yeah, this week was a biggie. Pwned Passwords dominated throughout, interrupted only by a few thousand new data breaches going into HIBP. But the big one - at least to me in terms of the significance - is the UK and Aussie governments now using HIBP to monitor their gov domains. That's an absolute milestone in the service's history for many reasons, some of which I talk about here and more I'll talk about later on in a subsequent post. As with last week, because this is such an epic I've listed out all the key times...

The UK and Australian Governments Are Now Monitoring Their Gov Domains on Have I Been Pwned

If I'm honest, I'm constantly surprised by the extent of how far Have I Been Pwned (HIBP) is reaching these days. This is a little project I started whilst killing time in a hotel room in late 2013 after thinking "I wonder if people actually know where their data has been exposed?" I built it in part to help people answer that question and in part because my inner geek wanted to build an interesting project on Microsoft's Azure. I ran it on a coffee budget (the goal was to keep the operating costs under what a couple of cups from a cafe each day would cost) and I made it freely accessible. And then it took off....