Security

Almost a decade ago now, I wrote what would become one of my most career-defining blog posts: The Only Secure Password is the One You Can't Remember [https://www.troyhunt.com/only-secure-password-is-one-you-cant/]. I had come to the realisation that I simply had too many accounts across too many systems to ever have any chance of creating decent unique passwords I could remember. So, I set out to find a password manager and 10 Christmas holidays ago now, I spent the best 50 bucks ever: I chose...

Been a lot of "victim blaming" going on these last few days. The victim, through no fault of their own, has been the target of numerous angry tweets designed to ridicule their role in internet security and suggest they are incapable of performing their duty. Here's where it all started: > This is a great example of how bad people are at reading and understanding even the domain part of the URL then making decisions based on that which affect their security and privacy (see the answer under the...

Sexuality, relationships and online dating are all rather personal things. They're aspects of our lives that many people choose to keep private or at the very least, share only with people of our choosing. Grindr [https://www.grindr.com/] is "The World's Largest Social Networking App for Gay, Bi, Trans, and Queer People" which for many people, makes it particularly sensitive. It's sensitive not just because by using the site it implies one's sexual orientation, but because of the sometimes sev...

I want a "secure by default" internet with all the things encrypted all the time such that people can move freely between networks without ever needing to care about who manages them or what they're doing with them. I'm a massive proponent of Let's Encrypt's and Cloudflare's missions to secure the web and of browser paradigms such as HSTS [https://www.troyhunt.com/understanding-http-strict-transport/] and upgrade-insecure-requests via content security policies [https://www.troyhunt.com/the-6-st...

You've possibly just found out you're in a data breach. The organisation involved may have contacted you and advised your password was exposed but fortunately, they encrypted it. But you should change it anyway. Huh? Isn't the whole point of encryption that it protects data when exposed to unintended parties? Ah, yes, but it wasn't encrypted it was hashed and therein lies a key difference: > Saying that passwords are “encrypted” over and over again doesn’t make it so. They’re bcrypt hashes so g...

I love security. I love privacy. Consequently, it will come as no surprise that I love tools that help people achieve those objectives. Equally, I have no patience for false promises, and I've been very vocal about my feelings there: > But one of them is literally called “Secure VPN”, how is this possible?! “Are You Using These VPN Apps? Personal Info Of 20 Million Users Leaked: That’s 1.2TB Data” https://t.co/BPDww70Pgo — Troy Hunt (@troyhunt) July 20, 2020 [https://twitter.com/troyhunt/stat...

I love beer. This comes as no surprise to regular followers, nor should it come as a surprise that I maintain an Untappd [https://untappd.com/] account, logging my beer experiences as I (used to 😢) travel around the world partaking in local beverages. When I received an email from someone over that way who happened to be a happy Have I Been Pwned (HIBP) user and wanted some cyber-assistance, I was intrigued. You'll never believe what happened next... The tl;dr is that someone with a BeerAdvoca...

The situation in Minneapolis at the moment (and many other places in the US) following George Floyd's death [https://en.wikipedia.org/wiki/Death_of_George_Floyd] is, I think it's fair to say, extremely volatile. I wouldn't even know where to begin commentary on that, but what I do have a voice on is data breaches which prompted me to tweet this out earlier today: > I'm seeing a bunch of tweets along the lines of "Anonymous leaked the email addresses and passwords of the Minneapolis police" with...

I've written a bunch about COVID-19 contact tracing apps recently as they relate to security and privacy, albeit in the form of long tweets. I'm going to avoid delving into the details here because they're covered more comprehensively in the resources I want to consolidate below, firstly the original thread from a fortnight ago as news of an impending app in Australia was breaking: > Ok folks, let's talk about the Coronavirus tracking app as news of Australia adopting Singapore's "TraceTogether...

How much can you trust the assertions made by an organisation regarding their security posture? I don't mean to question whether the statements are truthful or not, but rather whether they provide any actual assurance whatsoever. For example, nearly 5 years ago now I wrote about how "we take security seriously" was a ridiculous statement to make immediately after a data breach [https://www.troyhunt.com/we-take-security-seriously-otherwise/]. It seems that not much has changed since then: > “At...