Troy Hunt

This has been an insane week, not least because of spending the day yesterday installing a Ubiquiti network as part of my upcoming course. A heap of fun, but one little glitch threw my day out. Another glitch with my Pwned Passwords service threw my day today out so I'm going to sign off here, leave you with the vid and go grab a well-deserved ? iTunes podcast [https://itunes.apple.com/au/podcast/troy-hunts-weekly-update-podcast/id1176454699] | Google Play Music podcast [https://goo.gl/app/pla...

Edit 1: The following day, I loaded another set of passwords which has brought this up to 320M. More on why later on. Edit 2: The API model described below has subsequently been discontinued [https://www.troyhunt.com/enhancing-pwned-passwords-privacy-by-exclusively-supporting-anonymity/] in favour of the k-anonymity model [https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/] launched with V2. Last week I wrote about Passwords Evolved: Authentication Guidance for the Modern E...

Over the weekend, a Have I Been Pwned [https://haveibeenpwned.com/] (HIBP) subscriber contacted me after they found their Spotify credentials online. It turns out that this particular woman went searching for her specific password after finding "some guy listening to Mexican music from a foreign device on my acct". In the search results, she found a site hosted on Google's Blogger service with troves and troves of Spotify credentials, among others. Now I've seen a lot of lists of "hacked Spotify...

Only a couple of months ago, I did a talk titled "The Responsibility of Disclosure: Playing Nice and Staying Out of Prison". The basic premise was to illustrate where folks finding security vulnerabilities often go wrong in their handling of the reporting, but I also wanted to show how organisations frequently make it very difficult to responsibly disclose the issue in the first place. Just for context, I suggest watching a few minutes of the talk from the point at which I've set the video below...

This week I've had my head down working on a new course for Ubiquiti, the guys who make the very fine wifi things I now have in my house and since writing about them, many others do too. I'll be sharing more about that in the coming weeks but whilst I had the parts handy, I thought I'd show folks what would be going into the build I'll do next week. The other major thing this week was the blog post about modernising our approach to passwords. I honestly didn't expect this to be so well received...

In the beginning, things were simple: you had two strings (a username and a password) and if someone knew both of them, they could log in. Easy. But the ecosystem in which they were used was simple too, for example in MIT's Time-Sharing Computer [https://www.wired.com/2012/01/computer-password/], considered to be the first computer system to use passwords: We're talking back in the 60's here so a fair bit has happened since then. Up until the last couple of decades, we had a small number of...

This was one of those weeks where time disappeared on totally unplanned things, namely due to the debate that raged on over days about certs [https://twitter.com/melih_comodo/status/886815275043213312?refsrc=email&s=11] (get popcorn then read upwards and downwards from there). I stayed well and truly clear of that once it got heated, but I then spent the better part of two days researching, thinking and writing the a near-6000 word piece on this [https://www.troyhunt.com/on-the-perceived-value-...

Last week I wrote about how Life Is About to Get a Whole Lot Harder for Websites Without HTTPS [https://www.troyhunt.com/life-is-about-to-get-harder-for-websites-without-https/]. Somewhere in the comments there, the discussion went off on a tangent about commercial CAs, the threat Let's Encrypt poses to them and subsequently, the value (or lack thereof) posed by extended validation (EV) certificates. That discussion boiled over onto Twitter with many vocal opinions from different camps. This pos...

I'm home! After that crazy travel schedule (6 weeks and 1 day in all, thank you very much) I'm back in my own bed with some peace and quiet and... jet lag. It's always worse coming home from Europe, a combination of flying east (I travel over two short nights) and frankly, just being worn out at the end of a long journey. Regardless I had a pretty massive week on the blog and consequently, this is my longest every weekly update at almost 40 minutes. This week, I somehow came across a lot of "cr...

In case you haven't noticed, we're on a rapid march towards a "secure by default" web when it comes to protecting traffic. For example, back in Feb this year, 20% of the Alexa Top 1 Million sites were forcing the secure scheme: These figures are from Scott Helme's biannual report [https://scotthelme.co.uk/alexa-top-1-million-analysis-feb-2017/] and we're looking at a 5-month-old number here. I had a quiet chat with him while writing this piece and apparently that number is now at 28% of the T...