Passwords

Last week I wrote a couple of different pieces on passwords, firstly about why we're going to be stuck with them for a long time yet [https://www.troyhunt.com/heres-why-insert-thing-here-is-not-a-password-killer/] and then secondly, about how we all bear some responsibility for making good password choices [https://www.troyhunt.com/when-accounts-are-hacked-victims-must-share-the-blame/]. A few people took some of the points I made in those posts as being contentious, although on reflection I sus...

It's just another day on the internet when the news is full of headlines about accounts being hacked. Yesterday was a perfect example of that with 2 separate noteworthy stories adorning my early morning Twitter feed. The first one was about HSBC disclosing a "security incident" [https://www.zdnet.com/article/hsbc-discloses-security-incident/] which, upon closer inspection, boiled down to this: > The security incident that HSBC described in its letter seems to fit the characteristics of brute-fo...

These days, I get a lot of messages from people on security related things. Often it's related to data breaches or sloppy behaviour on behalf of some online service playing fast and loose with HTTPS or passwords or some other easily observable security posture. But on a fairly regular basis, I get an email from someone which effectively boils down to this: > Hey, have you seen [insert thing here]? It's totally going to kill passwords! No, it's not and to save myself from repeating the same mess...

A couple of months ago, I launched version 2 of Pwned Passwords [https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/]. This is a collection of over half a billion passwords which have previously appeared in data breaches and the intention is that they're used as a black list; these are the "secrets" that NIST referred to in their recent guidance [https://pages.nist.gov/800-63-3/sp800-63b.html]: > When processing requests to establish and change memorized secrets, verifiers SHA...

Last August, I launched a little feature within Have I Been Pwned [https://haveibeenpwned.com/] (HIBP) I called Pwned Passwords [https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/]. This was a list of 320 million passwords from a range of different data breaches which organisations could use to better protect their own systems. How? NIST explains [https://pages.nist.gov/800-63-3/sp800-63b.html]: > When processing requests to establish and change memorized secr...

I've been giving a bunch of thought to passwords lately. Here we have this absolute cornerstone of security - a paradigm that every single person with an online account understands - yet we see fundamentally different approaches to how services handle them. Some have strict complexity rules. Some have low max lengths. Some won't let you paste a password. Some force you to regularly rotate it. It's all over the place. Last year, I wrote about authentication guidance for the modern era [https://w...

Edit 1: The following day, I loaded another set of passwords which has brought this up to 320M. More on why later on. Edit 2: The API model described below has subsequently been discontinued [https://www.troyhunt.com/enhancing-pwned-passwords-privacy-by-exclusively-supporting-anonymity/] in favour of the k-anonymity model [https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/] launched with V2. Last week I wrote about Passwords Evolved: Authentication Guidance for the Modern E...

In the beginning, things were simple: you had two strings (a username and a password) and if someone knew both of them, they could log in. Easy. But the ecosystem in which they were used was simple too, for example in MIT's Time-Sharing Computer [https://www.wired.com/2012/01/computer-password/], considered to be the first computer system to use passwords: We're talking back in the 60's here so a fair bit has happened since then. Up until the last couple of decades, we had a small number of...

I watched a discussion unfold on Twitter recently which started like so many of the security related ones I see: > When website errors make no sense! @Argos_Online [https://twitter.com/Argos_Online] my password is more complex than your system can handle. What gives? @troyhunt [https://twitter.com/troyhunt] #insecurity [https://twitter.com/hashtag/insecurity?src=hash] pic.twitter.com/64VA7qINGP [https://t.co/64VA7qINGP] — Jon Carlos (@billywizz) June 10, 2017 [https://twitter.com/billywizz/sta...

LastPass had an issue the other day [https://blog.lastpass.com/2017/03/security-update-for-the-lastpass-extension.html/] , a rather nasty one by all accounts that under certain (undisclosed) circumstances, it looks like it could lead to someone's password (or possibly passwords) being disclosed by virtue of a remote code execution vulnerability. This is not a good thing - nobody wants an RCE vuln in their software - but as is prone to happen with these incidents, some people went about promptly...