Security

Edit 1: The following day, I loaded another set of passwords which has brought this up to 320M. More on why later on. Edit 2: The API model described below has subsequently been discontinued [https://www.troyhunt.com/enhancing-pwned-passwords-privacy-by-exclusively-supporting-anonymity/] in favour of the k-anonymity model [https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/] launched with V2. Last week I wrote about Passwords Evolved: Authentication Guidance for the Modern E...

Only a couple of months ago, I did a talk titled "The Responsibility of Disclosure: Playing Nice and Staying Out of Prison". The basic premise was to illustrate where folks finding security vulnerabilities often go wrong in their handling of the reporting, but I also wanted to show how organisations frequently make it very difficult to responsibly disclose the issue in the first place. Just for context, I suggest watching a few minutes of the talk from the point at which I've set the video below...

In the beginning, things were simple: you had two strings (a username and a password) and if someone knew both of them, they could log in. Easy. But the ecosystem in which they were used was simple too, for example in MIT's Time-Sharing Computer [https://www.wired.com/2012/01/computer-password/], considered to be the first computer system to use passwords: We're talking back in the 60's here so a fair bit has happened since then. Up until the last couple of decades, we had a small number of...

Last week I wrote about how Life Is About to Get a Whole Lot Harder for Websites Without HTTPS [https://www.troyhunt.com/life-is-about-to-get-harder-for-websites-without-https/]. Somewhere in the comments there, the discussion went off on a tangent about commercial CAs, the threat Let's Encrypt poses to them and subsequently, the value (or lack thereof) posed by extended validation (EV) certificates. That discussion boiled over onto Twitter with many vocal opinions from different camps. This pos...

In case you haven't noticed, we're on a rapid march towards a "secure by default" web when it comes to protecting traffic. For example, back in Feb this year, 20% of the Alexa Top 1 Million sites were forcing the secure scheme: These figures are from Scott Helme's biannual report [https://scotthelme.co.uk/alexa-top-1-million-analysis-feb-2017/] and we're looking at a 5-month-old number here. I had a quiet chat with him while writing this piece and apparently that number is now at 28% of the T...

Last week, The AA in the UK came spectacularly undone when attempting to cover up a data breach. I wrote about them while describing The 5 Stages of Data Breach Grief [https://www.troyhunt.com/the-5-stages-of-data-breach-grief/] but in short, they consciously elected not to notify subscribers after being alerted to the disclosure of 13GB worth of publicly accessible database backups back in April: > A follower just advised they recently notified @TheAA_UK [https://twitter.com/TheAA_UK] about 13...

When you see something play out enough times, you start to notice patterns. I was reflecting on this today as I watched The AA rapidly digging themselves in deeper and deeper after publishing 13GB worth of customer data to the internet, including partial credit card data. Which they denied: > The AA Shop data issue is now fixed, No Credit Card info was compromised & an independent investigation is under way. We're sorry. — The AA (@TheAA_UK) July 3, 2017 [https://twitter.com/TheAA_UK/status/88...

I watched a discussion unfold on Twitter recently which started like so many of the security related ones I see: > When website errors make no sense! @Argos_Online [https://twitter.com/Argos_Online] my password is more complex than your system can handle. What gives? @troyhunt [https://twitter.com/troyhunt] #insecurity [https://twitter.com/hashtag/insecurity?src=hash] pic.twitter.com/64VA7qINGP [https://t.co/64VA7qINGP] — Jon Carlos (@billywizz) June 10, 2017 [https://twitter.com/billywizz/sta...

A little while back, I wrote about Website enumeration insanity [https://www.troyhunt.com/website-enumeration-insanity-how-our-personal-data-is-leaked/] and how our personal data was being mishandled. In a nutshell, an enumeration risk boils down to a feature on a website allowing anyone to "ask" if a user exists on the website with the site then returning a positive or negative response. For example, to this day you can go to Adult Friend Finder's password reset page [https://adultfriendfinder...

You know what people really like? Government regulation! ...crickets... Ok, maybe not so much, but this one is actually really important. The General Data Protection Regulation [https://en.wikipedia.org/wiki/General_Data_Protection_Regulation] is an EU reg that kicks in on 25 May 2018 so we've got bang on a year to get organised. It's important within the EU because it relates to how data of their citizens and residents is handled and it's important outside the EU because the regulation can im...