Troy Hunt: Have I Been Pwned - Troy Hunt

Sponsored by:

Have I Been Pwned

A 98-post collection

Seamless A/B Testing, Deployment Slots and DNS Rollover with Azure Functions and Cloudflare Workers

Two of my favourite developer things these days are Azure Functions and Cloudflare Workers. They're both "serverless" in that rather than running on your own slice of infrastructure, that concept is abstracted away and you get to focus on just code executions rather than the logical bounds of the server it runs on. So for example, when you have an Azure function and you deploy it under a consumption plan, you pay for per-second resource consumption (how much memory you use for how long) and the number of times it executes. If you have an efficient function that executes quickly it can be extremely cost effective as I recently demonstrated with the Pwned Passwords figures: So here'...

Pwned Passwords V3 is Now Live!

Over recent weeks, I've begun planning the release of the 3rd version of Pwned Passwords. If you cast your mind back, version 1 came along in August last year and contained 320M passwords. I made all the data downloadable as SHA-1 hashes (for reasons explained in that post) and stood up a basic API to enable anyone to query it by plain text password or hash. Then in Feb, version 2 landed and brought the password count up to just over half a billion whilst also adding a count to each password indicating how many times it had been seen. Far more significantly though, it introduced the k-anonymity search model that Cloudflare worked on and that's when things really took...

The 111 Million Record Pemiblanc Credential Stuffing List

One of the most alarming trends I've seen in the world of data breaches since starting Have I Been Pwned (HIBP) back in 2013 is the rapid rise of credential stuffing attacks. Per the definition in that link, it simply means this: Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts. This form of attack relies on a combination of people reusing the same password across services and then the services themselves allowing automated attacks like this to happen. The first part of that is a simple fix we all have control of as individuals but is extremely hard to address as service operators: people need to stop reusing...

We're Baking Have I Been Pwned into Firefox and 1Password

Pretty much every day, I get a reminder from someone about how little people know about their exposure in data breaches. Often, it's after someone has searched Have I Been Pwned (HIBP) and found themselves pwned somewhere or other. Frequently, it's some long-forgotten site they haven't even thought about in years and also frequently, the first people know of these incidents is via HIBP: large @ticketfly data breach. thanks @troyhunt for the excellent @haveibeenpwned service that notifies users of #privacy disasters like this :) https://t.co/xgklY59sOU pic.twitter.com/jlqnKXteDG— Yale Privacy Lab (@YalePrivacyLab) June 4, 2018 Well, that's annoying: @TicketFly data breach attacker publicly posted my info (along w 26MM others). I at least know...

Data Provided by the Estonian Central Criminal Police is Now Searchable on Have I Been Pwned

Running Have I Been Pwned (HIBP) has presented some fascinating insights into all sorts of aspects of how data breaches affect us; the impact on the individual victims such as you and I, of course, but also how they affect the companies involved and increasingly, the role of government and law enforcement in dealing with these incidents. Last week I had an all new situation arise related to that last point and I want to explain it properly here so it makes sense if someone finds themselves in this data breach. I was contacted by the Cybercrime Bureau of the Estonian Central Criminal Police who were after some assistance notifying individuals impacted by a number of different breaches. They suspected...

Pwned Passwords in Practice: Real World Examples of Blocking the Worst Passwords

Back in August, I pushed out a service as part of Have I Been Pwned (HIBP) to help organisations block bad passwords from their online things. I called it "Pwned Passwords" and released 320M of them from real-world data breaches via both a downloadable file and an online service. This was in response to NIST's Digital Identity Guidelines and in particular, the following recommendation: When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example, the list MAY include, but is not limited to: Passwords obtained from previous breach corpuses. Seen a password in a data breach before? Then...

Welcoming the Spanish Government to Have I Been Pwned

A couple of months ago, I shared news of on-boarding the UK and Australian governments to Have I Been Pwned (HIBP). As I explained at the time, I wanted to provide the folks there with easy access to their respective government domains which meant providing them with the facility to query at the TLD level - namely, .gov.uk and .gov.au - as well as across a handful of their other whitelisted gov domains on other TLDs. In that post, I also committed to transparency as it relates to government access and as part of that, today I'm happy to welcome the Spanish government to HIBP. As with many countries, Spain has a governmental CERT (Computer Emergency Response Team)...

Enhancing Pwned Passwords Privacy by Exclusively Supporting Anonymity

When I launched Pwned Passwords in August, I honestly didn't know how much it would be used. I made 320M SHA-1 password hashes downloadable and also stood up an API to query the data "as a service" by either a plain text password or a SHA-1 hash. (Incidentally, for anyone about to lose their mind over SHA-1, read that launch post as to why that hashing algorithm is used.) But the service did become quite popular, although that was just the beginning... I launched V2 in February and pumped the number of passwords up to just over half a billion. The big difference, however, was the introduction of the k-Anonymity model developed by Cloudflare (special hat-tip to Junade...

Have I Been Pwned is Now Partnering With 1Password

The penny first dropped for me just over 7 years ago to the day: The only secure password is the one you can't remember. In an era well before the birth of Have I Been Pwned (HIBP), I was doing a bunch of password analysis on data breaches and wouldn't you know it - people are terrible at creating passwords! Of course, we all know that but it's interesting to look back on that post all these years later and realise that unfortunately, nothing has really changed. The strength of most passwords is terrible. Then they get reused. Everywhere. That post was my own personal wakeup call; it was the very point where I observed that what we all needed...

The Legitimisation of Have I Been Pwned

There's no way to sugar-coat this: Have I Been Pwned (HIBP) only exists due to a whole bunch of highly illegal activity that has harmed many individuals and organisations alike. That harm extends all the way from those in data breaches feeling a sense of personal violation (that's certainly how I feel when I see my personal information exposed), all the way through to people literally killing themselves (there are many documented examples of this in the wake of the Ashley Madison breach). Plus, of course, there's the ginormous financial impact; TalkTalk claims their 2015 hack cost them £42M and I've heard first-hand from those inside other companies that have suffered data breaches about just how costly they've been ("...