Troy Hunt

FEBRUARY 9, 2023

I think I've pretty much captured it all in the title of this post but as of about a day ago, Pwned Passwords now has full parity between the SHA-1 hashes that have been there since day 1 and NTLM hashes. So, Chief Pwned Passwords Wrangler Stefán Jökull Sigurðarson got to work and just went ahead and built it all for you.

Passwords 329

Passwords 329

NetSpi Technical

NOVEMBER 14, 2024

For those interested in the previous PowerHuntShares release, here is the blog and presentation. Username domainuser -Password password Note: I’ve tried to provide time stamps and output during run-time, so you know what it’s doing. Let the pseudo-TLDR/release notes begin! It was easy to set up and get rolling in no time.

Passwords 145

Passwords Risk Data collection Backups 145

Troy Hunt

FEBRUARY 25, 2025

I like to start long blog posts with a tl;dr, so here it is: We've ingested a corpus of 1.5TB worth of stealer logs known as "ALIEN TXTBASE" into Have I Been Pwned. We've also added 244M passwords we've never seen before to Pwned Passwords and updated the counts against another 199M that were already in there.

Passwords 358

Passwords Accountability VPN Malware 358

Troy Hunt

MARCH 4, 2020

Since launching version 2 of Pwned Passwords with the k-anonymity model just over 2 years ago now, the thing has really gone nuts (read that blog post for background otherwise nothing from here on will make much sense). They could be searching for any password whose SHA-1 hash begins with those characters. Very slick!

Passwords 305

Passwords Data breaches Risk Encryption 305

Krebs on Security

SEPTEMBER 22, 2023

The password manager service LastPass is now forcing some of its users to pick longer master passwords. But critics say the move is little more than a public relations stunt that will do nothing to help countless early adopters whose password vaults were exposed in a 2022 breach at LastPass.

Passwords 317

Passwords Encryption Password Management Cryptocurrency 317

Troy Hunt

AUGUST 3, 2022

So, earlier this year I created Password Purgatory with the singular goal of putting spammers through the hellscape that is attempting to satisfy really nasty password complexity criteria. I opened-sourced it, took a bunch of PRs, built out the API to present increasingly inane password complexity criteria then left it at that.

Passwords 364

Passwords Accountability 364

Troy Hunt

MAY 27, 2021

Both these announcements are being made at a time where Pwned Passwords is seeing unprecedented growth: Getting closer and closer to the 1B requests a month mark for @haveibeenpwned 's Pwned Passwords. Speaking of natural fits, Pwned Passwords is perfect for this model and that's why we're starting here.

Passwords 363

Passwords Accountability Cybercrime Authentication 363

Krebs on Security

SEPTEMBER 29, 2021

In February, KrebsOnSecurity wrote about a novel cybercrime service that helped attackers intercept the one-time passwords (OTPs) that many websites require as a second authentication factor in addition to passwords. An ad for the OTP interception service/bot “SMSRanger.”

Passwords 342

Passwords Mobile Authentication Banking 342

Krebs on Security

MAY 10, 2021

One financial startup that’s targeting the gig worker market is offering up to $500 to anyone willing to hand over the payroll account username and password given to them by their employer, plus a regular payment for each month afterwards in which those credentials still work. This ad, from workplaceunited[.]com,

Passwords 314

Passwords Mobile Accountability Marketing 314

The Last Watchdog

NOVEMBER 22, 2021

Until biometrics or a quantum solution change our everyday approach to encryption, passwords remain our first line of defense against data breaches, hackers, and thieves. Proper password hygiene doesn’t require a degree in rocket science. 1) Create sufficiently-complex passwords. But simpler passwords are much easier to hack.

Passwords 244

Passwords Password Management Accountability Data breaches 244

Krebs on Security

JANUARY 7, 2025

In the first step of the attack, they peppered the target’s Apple device with notifications from Apple by attempting to reset his password. The target told Michael that someone was trying to change his password, which Michael calmly explained they would investigate. “Password is changed,” the man said.

Phishing 334

Phishing Cryptocurrency Accountability Social Engineering 334

Krebs on Security

MARCH 14, 2025

In this scam, dubbed “ ClickFix ,” the visitor to a hacked or malicious website is asked to distinguish themselves from bots by pressing a combination of keyboard keys that causes Microsoft Windows to download password-stealing malware. Executing this series of keypresses prompts Windows to download password-stealing malware.

Phishing 266

Phishing Malware Scams Passwords 266

Schneier on Security

OCTOBER 5, 2020

Interesting usability study: “ More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-based Authentication “: Abstract : Risk-based Authentication (RBA) is an adaptive security measure to strengthen password-based authentication. I’ve blogged about risk-based authentication before.

Authentication 363

Authentication Risk Passwords 363

Daniel Miessler

DECEMBER 24, 2022

It started back in August of 2022 as a fairly common breach notification on a blog, but it, unfortunately, turned into more of a blog series. After initiating an immediate investigation, we have seen no evidence that this incident involved any access to customer data or encrypted password vaults. Actually, some data was lost.

Password Management 364

Password Management Passwords Encryption Backups 364

The Last Watchdog

APRIL 28, 2022

Passwords have become ubiquitous with digital. The humble password is nothing more than a digital key that opens a door. And they use passwords to open a device, a system, an account, a file and so on. Which begs the question: why do people create their own passwords? Yet most people don’t know how to use them properly.

Passwords 237

Passwords Encryption Phishing Social Engineering 237

The Last Watchdog

JANUARY 31, 2022

We all rely on passwords. For better or worse, we will continue to use passwords to access our computing devices and digital services for years to come. Related : The coming of password-less access. Passwords were static to begin with. They have since been modified in two directions: biometrics and dynamic passwords.

Passwords 232

Passwords Computers and Electronics Password Management Artificial Intelligence 232

Security Boulevard

NOVEMBER 10, 2024

Your internet account passwords are probably among the most guarded pieces of information you retain in your brain. With everything that has recently migrated to the digital realm, a secure password functions as the deadbolt to your private data.

Passwords 64

Passwords Accountability Internet Internet 64

Troy Hunt

OCTOBER 29, 2020

Almost a decade ago now, I wrote what would become one of my most career-defining blog posts: The Only Secure Password is the One You Can't Remember. I had come to the realisation that I simply had too many accounts across too many systems to ever have any chance of creating decent unique passwords I could remember.

Password Management 362

Password Management Passwords Software Accountability 362

Security Affairs

APRIL 15, 2025

A critical flaw (CVE-2025-24859, CVSS 10) in Apache Roller lets attackers keep access even after password changes. A critical vulnerability, tracked as CVE-2025-24859 (CVSS score of 10.0), affects the Apache Roller open-source, Java-based blogging server software. All versions 6.1.4 are affected. version 6.1.5 version 6.1.5

Passwords 55

Passwords Big data Software Hacking 55

Troy Hunt

JUNE 8, 2021

Ever notice how there was a massive gap of almost 9 months between announcing the intention to start open sourcing Have I Been Pwned (HIBP) in August last year and then finally a couple of weeks ago, actually taking the first step with Pwned Passwords ? I was pretty excited when I saw PRs coming in right after launching that last blog post.

Passwords 360

Passwords Accountability 360

Troy Hunt

MAY 29, 2024

unique passwords provided by law enforcement agencies into Have I Been Pwned (HIBP) following botnet takedowns in a campaign they've coined Operation Endgame. That link provides an excellent over so start there then come back to this blog post which adds some insight into the data and explains how HIBP fits into the picture.

Passwords 358

Passwords Password Management Data breaches Cybercrime 358

Troy Hunt

MARCH 3, 2025

But the confusing nature of stealer logs coupled with an overtly long blog post explaining them and the conflation of which services needed a subscription versus which were easily accessible by anyone made for a very intense last 6 days. That was a bit intense, as is usually the way after any large incident goes into HIBP. It should be many.

Passwords 243

Passwords Accountability Malware 243

Troy Hunt

NOVEMBER 13, 2024

As I said, our IT department recently notified me that some of my data was leaked and a pre-emptive password reset was enforced as they didn't know what was leaked.  Some people take the view of "I have nothing to hide", whilst others become irate if even just their email address is exposed.

Data breaches 323

Data breaches Passwords B2B Technology 323

Troy Hunt

JANUARY 17, 2024

It's usually something to the effect of "hey, have you seen the Spotify breach", to which I politely reply with a link to my old No, Spotify Wasn't Hacked blog post (it's just the output of a small set of credentials successfully tested against their service), and we all move on. Until the Naz.API list appeared.

Passwords 363

Passwords Password Management Hacking Accountability 363

Malwarebytes

MARCH 26, 2025

Through an automated attack disguised as a notice from Hunts chosen newsletter provider Mailchimp, scammers stole roughly 16,000 records belonging to current and past subscribers of Hunts blog. The email claimed that Mailchimp was temporarily cutting service to Hunt because his blog had allegedly received a spam complaint.

Phishing 119

Phishing Data breaches Password Management Scams 119

Troy Hunt

JULY 6, 2022

There'd be no open source Pwned Passwords if nobody wanted to contribute, no live streams or blog posts if people didn't want to watch them and no conference talks if nobody attended. Cool 😎 But it has to be said that all these things only happen through the support of the community.

Passwords 321

Passwords 321

Troy Hunt

NOVEMBER 28, 2020

Blog post every day, massive uptick in comments, DMs, newsletter subscribers, followers and especially, blog traffic. More than 200,000 unique visitors dropped by this week, mostly to read about IoT things. This has been a fascinating experience for me and I've enjoyed sharing the journey, complete with all my mistakes ??

IoT 335

IoT Password Management Firmware Passwords 335

Malwarebytes

NOVEMBER 4, 2024

In this blog post, we take a look at how criminals are abusing Bing and stay under the radar at the same time while also bypassing advanced security features such as two-factor authentication. The idea is about creating content that looks real, like a blog, but with malicious intent (monetization or other).

Engineering 127

Engineering Phishing Banking Authentication 127

Troy Hunt

MARCH 9, 2023

that was out of a total of more than 166M requests in the same period: Yep, we just hit "five nines" of cache hit ratio on Pwned Passwords being 99.999%. It also means that the 48c per day cost is going to come way down 🙂 Every time the FBI feeds new passwords into the service , the impacted file is purged from cache.

Passwords 361

Passwords Accountability 361

Troy Hunt

JUNE 30, 2022

Four and a half years ago now, I rolled out version 2 of HIBP's Pwned Passwords that implemented a really cool k-anonymity model courtesy of the brains at Cloudflare. Actually, the multiple problems, the first of which is that it's just way too fast for storing user passwords in an online system.

Passwords 348

Passwords Identity Theft Consumer Services Password Management 348

Adam Shostack

JANUARY 2, 2025

Here's my model of what we're working on: Let me walk you through this: There's a password manager, which talks to a website. The two boundaries displayed are where the data and the "password manager.exe" live. Similarly, the passwords are stored somewhere, and there's a boundary around that. What can go wrong?

Password Management 130

Password Management Passwords Encryption Architecture 130

Troy Hunt

OCTOBER 7, 2022

Who out there still works somewhere that forces rotation (because "reasons")? people) Sponsored by: Kolide can help you nail third-party audits and internal compliance goals with endpoint security for your entire fleet.

Passwords 302

Passwords 302

Krebs on Security

SEPTEMBER 5, 2023

In November 2022, the password manager service LastPass disclosed a breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users. 15, 2022, LastPass said an investigation into the August breach determined the attacker did not access any customer data or password vaults.

Cryptocurrency 360

Cryptocurrency Passwords Encryption Accountability 360

Troy Hunt

JULY 21, 2020

The tl;dr is that someone with a BeerAdvocate account was convinced the service had been pwned as they'd seen evidence of an email address and password they'd used on the service being abused. Someone had registered a new Netflix account with my email / password associated with my BeerAdvocate account. Not even a password manager.

Passwords 353

Passwords Accountability Password Management Backups 353

Troy Hunt

DECEMBER 4, 2020

that's the launch blog post, how things have changed. and yet stayed the same) Apparently, "red" Texans don't like being told their password is crap (and other ridiculous insights) Also on stupid emails, apparently I'm gonna be in trouble with the law - today (nothing further yet, but of course I'll share any updates ??)

Password Management 282

Password Management IoT Passwords 282

Troy Hunt

MARCH 12, 2021

Home Assistant started telling people not to use Pwned Password, and people got pissed (this is nuts, and it deserved a dedicated blog post) Sponsored by safepass.me: Get a FREE password audit on your Active Directory users with pwncheck from safepass.me. But hey, at least the audio is spot on, hope you enjoy this week's video.

Passwords 297

Passwords IoT Hacking 297

Troy Hunt

APRIL 14, 2022

I really don't like password strength indicators like this (there's really nothing of practical use people can take away from them) Hey, here's a blog post on how much I dislike password strength meters! (5 Try it free!

Passwords 308

Passwords Government 308