Collaborate Disseminate
For the last 4 years, I’ve been providing API-level access to national government agencies so that they can search and monitor their government domains on Have I Been Pwned. Today, I’m very happy to welcome the 29th government to join the service, Italy! Via CSIRT-Italia within
Continue reading Welcoming the Italian Government to Have I Been Pwned
Over the last 4 years, I’ve onboarded 28 national government CERTs onto Have I Been Pwned (HIBP) and given them free and open access to APIs that enable them to query and monitor their gov domains. This doesn’t give them access to any information they can&
Continue reading Setting the Bar for Government Access to Have I Been Pwned
I know maltego has a haveibeenpwned module/transform. Assuming an attacker ran a bunch of emails through that module and got a few positive hits for haveibeenpwned, what can be done with those results? If the attacker is a white hat pentes… Continue reading What can an attacker do if they find positive results for `haveibeenpwned`?
I feel the need, the need for speed.
Faster, Faster, until the thrill of speed overcomes the fear of death.
If you’re in control, you’re not going fast enough.
And so on and so forth. There’s a time and a place for going fast,
Continue reading I Wanna Go Fast: How Many Pwned Password Queries Can You Make Per Second?
Continuing the march forward to provide governments with better access to their departments’ data exposed in breaches, I’m very pleased to welcome the 28th national government onto Have I Been Pwned – New Zealand! They’ll join the other govs around the world that have complete
Continue reading Welcoming the New Zealand Government to Have I Been Pwned
I have been, and still remain, a massive proponent of “the cloud”. I built Have I Been Pwned (HIBP) as a cloud-first service that took advantage of modern cloud paradigms such as Azure Table Storage to massively drive down costs at crazy levels of performance I never could
A while ago, I was tipped off that it’s a good idea to check if the password provided at registration is contained in any list of leaked passwords. I’m not in the information security field, but I really like to take aspects like this seri… Continue reading Is it a good idea to check if the password provided at registration is leaked on any lists? And then, prevent the user from using it?
In the last month, there were 1,260,000,000 occasions where a service somewhere checked a password against Have I Been Pwned’s (HIBP’s) Pwned Password API. 99.7% of the time, that check went no further than one of hundreds of Cloudflare edge nodes spread
Continue reading Open Source Pwned Passwords with FBI Feed and 225M New NCA Passwords is Now Live!
A decade and a bit ago during my tenure at Pfizer, a colleague’s laptop containing information about customers, healthcare providers and other vendors was stolen from their car. The machine had full disk encryption and it’s not known whether the thief was ever actually able to
Like most of my good ideas, this one came completely by accident. The other day I was packaging up some swag to send to the winner of my impromptu best “Anonymous” meme competition and I decided to share the following tweet:
Time to ramp up the 3D @haveibeenpwned