The 773 Million Record “Collection #1” Data Breach

Presently sponsored by: Live Workshop! Watch the Varonis DFIR team investigate a cyberattack using our data-centric security stack

Many people will land on this page after learning that their email address has appeared in a data breach I’ve called “Collection #1”. Most of them won’t have a tech background or be familiar with the concept of credential stuffing so I’m going to write this post for the masses

Continue reading The 773 Million Record “Collection #1” Data Breach

Serverless to the Max: Doing Big Things for Small Dollars with Cloudflare Workers and Azure Functions

Presently sponsored by: Do you desire peace of mind? The hackers don’t wait, secure your website and mobile apps with Gold Security today.

As time has gone by, one of the things I’ve enjoyed the most in running Have I Been Pwned (HIBP) is seeing how far I could make the dollars stretch. How big can it go whilst at the same time, running it on a shoestring? I keep finding new ways…

Continue reading Serverless to the Max: Doing Big Things for Small Dollars with Cloudflare Workers and Azure Functions

Pwned Passwords, Now As NTLM Hashes!

Presently sponsored by: How fast can you update your security after an algorithm is compromised? Improve crypto agility with tips from DigiCert’s CTO

I’m still pretty amazed at how much traction Pwned Passwords has gotten this year. A few months ago, I wrote about Pwned Passwords in Practice which demonstrates a whole heap of great use cases where they’ve been used in registration, password reset and login flows. Since that time, another big

Continue reading Pwned Passwords, Now As NTLM Hashes!

Pwned Passwords V3 is Now Live!

Presently sponsored by: Netsparker – a scalable and dead accurate web application security solution. Scan thousands of web applications within just hours.

Over recent weeks, I’ve begun planning the release of the 3rd version of Pwned Passwords. If you cast your mind back, version 1 came along in August last year and contained 320M passwords. I made all the data downloadable as SHA-1 hashes (for reasons explained in that post) and stood…

Continue reading Pwned Passwords V3 is Now Live!

86% of Passwords are Terrible (and Other Statistics)

Presently sponsored by: Build scalable, reliable and secure cloud native applications with Tech Fabric

A couple of months ago, I launched version 2 of Pwned Passwords. This is a collection of over half a billion passwords which have previously appeared in data breaches and the intention is that they’re used as a black list; these are the “secrets” that NIST referred to

Continue reading 86% of Passwords are Terrible (and Other Statistics)

Enhancing Pwned Passwords Privacy by Exclusively Supporting Anonymity

Presently sponsored by: Netsparker – a scalable and dead accurate web application security solution. Scan thousands of web applications within just hours.

When I launched Pwned Passwords in August, I honestly didn’t know how much it would be used. I made 320M SHA-1 password hashes downloadable and also stood up an API to query the data “as a service” by either a plain text password or a SHA-1 hash. (Incidentally,…

Continue reading Enhancing Pwned Passwords Privacy by Exclusively Supporting Anonymity