Troy Hunt
Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals
Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals
Every now and then, I look at one of the videos I've just recorded and only realise then how tired I look. This was one of those weeks and it was absolutely jam-packed! There was some awesome stuff and there was some very frustrating stuff. Let me add briefly to the latter here: The joy of participating in online communities is that we have these melting pots of diverse backgrounds and ideas all coming together in the one place. A huge portion of what I've learned personally has come from very...
Last August, I launched a little feature within Have I Been Pwned [https://haveibeenpwned.com/] (HIBP) I called Pwned Passwords [https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/]. This was a list of 320 million passwords from a range of different data breaches which organisations could use to better protect their own systems. How? NIST explains [https://pages.nist.gov/800-63-3/sp800-63b.html]: > When processing requests to establish and change memorized secr...
I had plans this week. Monday was going to be full of coding work around Pwned Passwords V2 (and a few other HIBP things) then Texthelp [https://www.texthelp.com/en-gb/] went and got themselves pwned and there went my day writing about the ramifications of that. This is a genuinely important issue and the whole concept of the JavaScript supply chain needs much better thought. We've got the technology, it's just that most people don't know it exists! I did then later get around to posting my "da...
I'll start this post where I start many of my talks - what does a hacker look like? Or perhaps more specifically, what do people think a hacker looks like? It's probably a scary image, one that's a bit mysterious, a shady character lurking in the hidden depths of the internet. People have this image in their mind because that's what they've been conditioned to believe: These are the images that adorn the news pieces we read and we've all seen them before. Hell, we've seen literally the same g...
A couple of years back as the US presidential campaign was ramping up, the Trump camp did something stupid. I know, we're all shocked but bear with me because it's an important part of the narrative of this post. One of their developers embedded this code in the campaign's donation website: <script src="https://github.com/igorescobar/jQuery-Mask-Plugin/blob/gh-pages/js/jquery.mask.min.js" type="text/javascript"></script> See the problem? This tag was in the source code over at secure.donaldjt...
I'm not entirely sure how I've gotten to the end of the week feeling completely wrung out whilst having only written the one thing, but here we are. In fairness though, I've put a heap of work into Pwned Passwords [https://haveibeenpwned.com/Passwords] version 2 and finally completed the data set. There's some coding work and other logistics to complete before it goes live, but the plan for now is week after next so I'm looking forward to that. This week, it's all about minimum password lengths...
I've been giving a bunch of thought to passwords lately. Here we have this absolute cornerstone of security - a paradigm that every single person with an online account understands - yet we see fundamentally different approaches to how services handle them. Some have strict complexity rules. Some have low max lengths. Some won't let you paste a password. Some force you to regularly rotate it. It's all over the place. Last year, I wrote about authentication guidance for the modern era [https://w...
I'm home! It's nice being home ? This week I start by getting a couple of things off my chest, namely some pretty wacky reactions to my suggesting that we're never going to see a coders' hippocratic oath and how I feel when media outlets say "the dark web". Plus, I've got news around running workshops in Europe with Scott Helme and me finally getting a content security policy on this blog. That last one in particular makes me very happy because it really shouldn't have been this hard, but it w...
I've long been a proponent of Content Security Policies (CSPs). I've used them to fix mixed content warnings on this blog after Disqus made a little mistake [https://www.troyhunt.com/disqus-mixed-content-problem-and-fixing-it-with-a-csp/], you'll see one adorning Have I Been Pwned [https://haveibeenpwned.com/] (HIBP) and I even wrote a dedicated Pluralsight course on browser security headers [https://pluralsight.pxf.io/c/1196446/424552/7490?u=https%3A%2F%2Fwww.pluralsight.com%2Fcourses%2Fbrowser...
This is probably the most self-explanatory blog post title I've ever written! But be that as it may, it deserves some explanation as to how I've arrived at this point and like many great ideas, it began over some beers... I've just arrived home to the Gold Coast in Australia which I frequently describe to people as "the sunny part of the sunny country". I'm literally sitting on a beach writing this blog post and frankly, I'd like to spend more time here. I spent 37% of 2017 away from home [http...