Have I Been Pwned

Over recent weeks, I've begun planning the release of the 3rd version of Pwned Passwords. If you cast your mind back, version 1 came along in August last year [https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/] and contained 320M passwords. I made all the data downloadable as SHA-1 hashes (for reasons explained in that post) and stood up a basic API to enable anyone to query it by plain text password or hash. Then in Feb, version 2 landed [https://www.troyhunt...

One of the most alarming trends I've seen in the world of data breaches since starting Have I Been Pwned [https://haveibeenpwned.com/] (HIBP) back in 2013 is the rapid rise of credential stuffing [https://www.owasp.org/index.php/Credential_stuffing] attacks. Per the definition in that link, it simply means this: > Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts. This form of attack relies on a combination...

Pretty much every day, I get a reminder from someone about how little people know about their exposure in data breaches. Often, it's after someone has searched Have I Been Pwned [https://haveibeenpwned.com/] (HIBP) and found themselves pwned somewhere or other. Frequently, it's some long-forgotten site they haven't even thought about in years and also frequently, the first people know of these incidents is via HIBP: > large @ticketfly [https://twitter.com/ticketfly?ref_src=twsrc%5Etfw] data bre...

Running Have I Been Pwned [https://haveibeenpwned.com/] (HIBP) has presented some fascinating insights into all sorts of aspects of how data breaches affect us; the impact on the individual victims such as you and I, of course, but also how they affect the companies involved and increasingly, the role of government and law enforcement in dealing with these incidents. Last week I had an all new situation arise related to that last point and I want to explain it properly here so it makes sense if...

Back in August, I pushed out a service as part of Have I Been Pwned [https://haveibeenpwned.com/] (HIBP) to help organisations block bad passwords from their online things. I called it "Pwned Passwords" and released 320M of them from real-world data breaches [https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/] via both a downloadable file and an online service. This was in response to NIST's Digital Identity Guidelines [https://www.nist.gov/itl/tig/special-publ...

A couple of months ago, I shared news of on-boarding the UK and Australian governments to Have I Been Pwned [https://www.troyhunt.com/the-uk-and-australian-governments-are-now-monitoring-their-gov-domains-on-have-i-been-pwned/] (HIBP). As I explained at the time, I wanted to provide the folks there with easy access to their respective government domains which meant providing them with the facility to query at the TLD level - namely, .gov.uk and .gov.au - as well as across a handful of their oth...

When I launched Pwned Passwords in August [https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/], I honestly didn't know how much it would be used. I made 320M SHA-1 password hashes downloadable and also stood up an API to query the data "as a service" by either a plain text password or a SHA-1 hash. (Incidentally, for anyone about to lose their mind over SHA-1, read that launch post as to why that hashing algorithm is used.) But the service did become quite popu...

The penny first dropped for me just over 7 years ago to the day: The only secure password is the one you can't remember [https://www.troyhunt.com/only-secure-password-is-one-you-cant/]. In an era well before the birth of Have I Been Pwned [https://haveibeenpwned.com/] (HIBP), I was doing a bunch of password analysis on data breaches and wouldn't you know it - people are terrible at creating passwords! Of course, we all know that but it's interesting to look back on that post all these years late...

There's no way to sugar-coat this: Have I Been Pwned [https://haveibeenpwned.com/] (HIBP) only exists due to a whole bunch of highly illegal activity that has harmed many individuals and organisations alike. That harm extends all the way from those in data breaches feeling a sense of personal violation (that's certainly how I feel when I see my personal information exposed), all the way through to people literally killing themselves [http://money.cnn.com/2015/09/08/technology/ashley-madison-suic...

If I'm honest, I'm constantly surprised by the extent of how far Have I Been Pwned [https://haveibeenpwned.com/] (HIBP) is reaching these days. This is a little project I started whilst killing time in a hotel room in late 2013 after thinking "I wonder if people actually know where their data has been exposed?" I built it in part to help people answer that question and in part because my inner geek wanted to build an interesting project on Microsoft's Azure. I ran it on a coffee budget (the goal...