I made it out of Vegas! That was a rather intense 8 days and if I'm honest, returning to the relative tranquillity of Oslo has been lovely (not to mention the massive uptick in coffee quality). But just as the US to Europe jet lag passes, it's time to head back to Aus for a bit and go through the whole cycle again. And just on that, I've found that diet makes a hell of a difference in coping with this sort of thing: > The number one most effective way I’ve found for coping with jet lag, stress,...

Almost one year ago now, I declared extended validation certificates dead [https://www.troyhunt.com/extended-validation-certificates-are-dead/]. The entity name had just been removed from Safari on iOS, it was about to be removed from Safari on Mojave and there were indications that Chrome would remove it from the desktop in the future (they already weren't displaying it on mobile clients). The only proponents of EV seemed to be those selling it or those who didn't understand how reliance on the...

Well that's Vegas done. 8 days of absolutely non-stop events that's now pretty much robbed me of my voice but hey, I got a flying cow! Scott and I both spent BSides, Black Hat and DEF CON doing "hallway con" or in other words, wandering around just meeting people. The personal engagement you get from these ad hoc meetups really can't be beat and I appreciate everyone who took the time to come over and say hi. Just a sample of our week is below: > Approaching a week of @BSidesLV [https://twitter...

Vegas! I'm a bit late with this week's update but I thought I'd catch up with Scott Helme and do the video together. We're talking about the events in Vegas, the ongoing Project Svalbard process, some very screwy messaging about certificates from Sectigo and the Irish government coming on board HIBP. Next week we'll do another one from Vegas and talk about what the events of the week here were like. [https://itunes.apple.com/au/podcast/troy-hunts-weekly-update-podcast/id1176454699] [https://pl...

Over the last year and a bit I've been working to make more data in HIBP freely available to governments around the world [https://www.troyhunt.com/the-uk-and-australian-governments-are-now-monitoring-their-gov-domains-on-have-i-been-pwned/] that want to monitor their own exposure in data breaches. Like the rest of us, governments regularly rely on services that fall victim to attacks resulting in data being disclosed and just like the commercial organisations monitoring domains on HIBP, unders...

What. A. Week. I've been in San Fran meeting with a whole bunch of potential purchasers for HIBP and it's been... intense. Daunting. Exciting. It's actually an amazing feeling to see my "little" project come to this where I'm sitting in a room with some of the most awesome tech companies whilst flanked by bankers in suits. I try and give a bit of insight into that in this week's video, keeping in mind of course that I'm a bit limited by how much detail I can go into right now. As the process un...

It's the last one from Norway before heading off to the US and diving into the deep end of the Project Svalbard [https://www.troyhunt.com/project-svalbard-the-future-of-have-i-been-pwned/] pool followed by Black Hat and DEF CON in Vegas. That's off the back of the last week being focused on pushing out Pwned Passwords V5, loading several hundred million new records worth of new data breaches and finally launching something I've been very excited about for a long time now: auth on the HIBP API. I...

The very first feature I added to Have I Been Pwned after I launched it back in December 2013 was the public API [https://www.troyhunt.com/have-i-been-pwned-you-can-now-ask-api/]. My thinking at the time was that it would make the data more easily accessible to more people to go and do awesome things; build mobile clients, integrate into security tools and surface more information to more people to enable them to do positive and constructive things with the data. I highlighted 3 really important...

So "Plan A" was to publish Pwned Passwords V5 on Tuesday but a last-minute check showed control characters had snuck in due to the quality (or lack thereof) of the source data. Scratch that and go to "Plan B" which was to push them out today but a last-minute check showed that my "improved" export script had screwed up the encoding and every single hash was wrong. "Plan C" is now to push them out on the weekend with everything working correctly. Hopefully. If I don't screw anything up again......

Almost 2 years ago to the day, I wrote about Passwords Evolved: Authentication Guidance for the Modern Era [https://www.troyhunt.com/passwords-evolved-authentication-guidance-for-the-modern-era/]. This wasn't so much an original work on my behalf as it was a consolidation of advice from the likes of NIST, the NCSC and Microsoft about how we should be doing authentication today. I love that piece because so much of it flies in the face of traditional thinking about passwords, for example: 1. Do...