Troy Hunt's HaveIBeenPwned has become a phenomenal success.
Troy Hunt is busy. He’s been travelling across the world giving talks about security, and his much loved and lauded website HaveIBeenPwned went up for sale in June. But that’s not before the site–which gives users the chance to see if their emails and passwords have been compromised–had been baked into services such as Firefox and 1Password.
The acquisition is in its final stages, says Hunt. But he concedes that “it’s just a huge amount of effort for one person: Even the acquisition itself.”
To be fair to him, Hunt has done pretty well as one person. HIBP, as it has affectionately become known, has been a phenomenal success. As well as educating users on the importance of strong passwords, it’s raised awareness of credential stuffing–where attackers will throw people’s credentials at a number of big services in the hope that the victim has reused their passwords.
It’s due to this that Hunt could even be credited with improving the security of the web. “The success of HaveIBeenPwned largely speaks for itself: It’s a globally recognized tool adopted by millions of individuals, and it’s helped companies and individuals take an interest in their own online security posture,” says security researcher Mike Thompson.
But despite the impending sale of HIBP, Hunt’s work is certainly not over.
Tackling cybersecurity issues, one at a time
On December 7 at 3 p.m. ET (8 p.m. GMT), Hunt will take part in a virtual conference organized by security researcher group The Beer Farmers, called Beer Con One. The 24-hour event will see Hunt and other guests reflecting back on 2019 as well as the industry as a whole to raise money for the Electronic Frontier Foundation (EFF) and Mental Health Hackers.
As part of this, he’ll talk about one major attack vector that remains an issue: the so-called internet of things (IoT). Among the issues in IoT is the fact that product vendors so regularly fail to build in security from the start. Worse, when notified of a problem, vendors often fail to fix it.
Hunt cites the example of one of the biggest IoT issues this year: location tracking on children’s smartwatches. “I bought my daughter one of these and found how she could be tracked,” he says, explaining how he worked with security researcher Ken Munro at Pen Test Partners to solve the issue. “He handled it so eloquently, but the vendor responded so badly. The PR made it out to be two hackers out to make money.”
Another talking point that has dominated 2019 is data security and privacy practices of big tech companies such as Google and Facebook. So, as a security researcher who sees a lot of the issues firsthand, has Hunt deleted Facebook yet?
“I think the privacy thing around this is fascinating,” Hunt says. “I haven’t deleted Facebook as my friends are on there. I use Google because it’s the best search engine, but it’s really interesting to see the challenges they have. They are told by authorities that they need to retain data for terrorism–and then people want privacy.”
Troy Hunt on the worst breaches of 2019
There have been multiple breaches this year, so which were the worst? Hunt says one breach that affected him “due to the scars it left” was a “zoophilia and bestiality” site called Zooville. “A vulnerability meant you could personally identify individuals. There were user names, email addresses, and IP addresses.”
Before he even started, Hunt had some rather unexpected investigations to make. “I had to work out: Is this legal? Different aspects of it are legal in different places. There was a little bit of me that was fascinated by how weird it was.”
One of the biggest breaches of the year took place at the start of 2019. Revealed in January, Collection #1, saw more than a billion unique email address and password combinations posted to a hacking forum for anyone to see.
This mega-breach containing several data sets from different sources was first revealed by Hunt, and he says it was actually the catalyst for his site’s sale. Predictably for a story so big, it gave HaveIBeenPwned a huge spike in customers.
However, many misinterpreted the story, and gave Hunt a hard time. “It got interpreted by a number of people as the world’s largest data breach–but it was an amalgamation of different breaches.”
Even so, it was important Collection #1 got the coverage: The exposed details could be used for credential stuffing attacks, seeing bots automatically testing millions of email and password combinations on a range of website login pages.
“Credential stuffing has become massive this year,” Hunt concedes.
This attack thrives on the chance that people reuse their passwords, which means hackers can throw these credentials at several services and bypass authentication on all of them.
Password security
Asked how people can be stopped reusing passwords, Hunt says: “The only way you are going to not do that is using a password manager. Then two factor authentication (2FA).”
Services can actually use the Pwned Password service on HIBP to prevent their users from using already breached passwords. “People are using bad passwords–we need to save users from themselves,” Hunt says.
But he points out that so far, stats show just 2% of people are using a password manager. In some cases, it’s because it is too complex. For this reason, Hunt doesn’t discount using a physical password book.
“You need to look at who your threat actor is–it’s someone who can get the book. It’s now someone who can break into your house, but then they don’t want the book, they want the computer. The book is better than what 98% of people are doing: that’s the discussion we want to be having.”
Meanwhile, says Hunt, 2FA is “a pain in the ass.”
“I am a proponent but the usability sucks. Or we end up with SMS–you can then do Sim swap attacks.”
But at the same time, he says: “People say using SMS for 2FA is like not having 2FA at all. It’s always going to be better–credential stuffing goes away.”
