Have I Been Pwned

When I launched Pwned Passwords in August [https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/], I honestly didn't know how much it would be used. I made 320M SHA-1 password hashes downloadable and also stood up an API to query the data "as a service" by either a plain text password or a SHA-1 hash. (Incidentally, for anyone about to lose their mind over SHA-1, read that launch post as to why that hashing algorithm is used.) But the service did become quite popu...

The penny first dropped for me just over 7 years ago to the day: The only secure password is the one you can't remember [https://www.troyhunt.com/only-secure-password-is-one-you-cant/]. In an era well before the birth of Have I Been Pwned [https://haveibeenpwned.com/] (HIBP), I was doing a bunch of password analysis on data breaches and wouldn't you know it - people are terrible at creating passwords! Of course, we all know that but it's interesting to look back on that post all these years late...

There's no way to sugar-coat this: Have I Been Pwned [https://haveibeenpwned.com/] (HIBP) only exists due to a whole bunch of highly illegal activity that has harmed many individuals and organisations alike. That harm extends all the way from those in data breaches feeling a sense of personal violation (that's certainly how I feel when I see my personal information exposed), all the way through to people literally killing themselves [http://money.cnn.com/2015/09/08/technology/ashley-madison-suic...

If I'm honest, I'm constantly surprised by the extent of how far Have I Been Pwned [https://haveibeenpwned.com/] (HIBP) is reaching these days. This is a little project I started whilst killing time in a hotel room in late 2013 after thinking "I wonder if people actually know where their data has been exposed?" I built it in part to help people answer that question and in part because my inner geek wanted to build an interesting project on Microsoft's Azure. I ran it on a coffee budget (the goal...

In the immortal words of Ricky Bobby, I wanna go fast [https://www.youtube.com/watch?v=_qJGsSuFRIg]. When I launched Pwned Passwords V2 last week [https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/], I made it fast - real fast - and I want to talk briefly here about why that was important, how I did it and then how I've since shaved another 56% off the load time for requests that hit the origin. And a bunch of other cool perf stuff while I'm here. Why Speed Matters for Pwned...

tl;dr - a collection of nearly 3k alleged data breaches has appeared with a bunch of data already proven legitimate from previous incidents, but also tens of millions of addresses that haven't been seen in HIBP before. Those 80M records are now searchable, read on for the full story: There's an unknown numbers of data breaches floating around the web. There are data breaches we knew of but they just took years to appear publicly (Dropbox, LinkedIn), data breaches we didn't know of that also too...

Last August, I launched a little feature within Have I Been Pwned [https://haveibeenpwned.com/] (HIBP) I called Pwned Passwords [https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/]. This was a list of 320 million passwords from a range of different data breaches which organisations could use to better protect their own systems. How? NIST explains [https://pages.nist.gov/800-63-3/sp800-63b.html]: > When processing requests to establish and change memorized secr...

I don't know how many data breaches I'm sitting on that I'm yet to process. 100? 200? It's hard to tell because often I'm sent collections of multiple incidents in a single archive, often there's junk in there and often there's redundancy across those collections. All I really know is that there's hundreds of gigabytes spread across thousands of files. Sometimes - like in the case of the recent South Africa situation - I could be sitting on data for months that's actually very serious in nature...

Current status: The competition has run and been won! Scroll down to the bottom for the result. Friends who follow what I'm up to these days will see that I'm often away from home in far-flung parts of the world. What that means is a lot of time on planes, a lot of time in airports (which is where I'm writing this now) and a lot of time in hotel rooms. Want to know how I churn out so much content? It's using that otherwise wasted down time to do useful things. But to do that, I need to be produ...

No matter how much anyone tries to sugar coat it, a service like Have I been pwned [https://haveibeenpwned.com/] (HIBP) which deals with billions of records hacked out of other peoples' systems is always going to sit in a grey area. There are degrees, of course; at one end of the spectrum you have the likes of Microsoft and Amazon using data breaches to better protect their customers' accounts [https://www.troyhunt.com/random-thoughts-on-the-use-of-breach-data/]. At the other end, there's servi...