Troy Hunt and havibeenpwned.com

Steve Cassidy has found a tech hero of late, in the form of Troy Hunt, the guy behind havibeenpwned.com...

security key on keyboard

The real cost of being a good guy in the password database theft saga: haveibeenpwned.com

I could get to be quite a fan of Troy Hunt. He's not a character in a BBC time-travel detective action throwback drama. He's a computer scientist, and the man behind http://havibeenpwned.com which is a handy site, into which you can type your various online usernames and email addresses, to see if they are implicated in any of the 20-odd security database loss incidents which are such a regular part of the mainstream news in late 2014.

I would hope that IT Pro readers don't need the usefulness of such a site spelling out to them: if you know someone who does, just send them over to this article where the reasons to be careful and the ramifications of using a reputable source to do your checking are discussed in detail. The only minor hint on this topic for IT Admin types is that the problem of humans re-using the same user/password pairs on multiple sites goes for work computer logins too. If someone uses P00dle97 for their Amazon account then they re quite likely to use it for their work login too.

But that's a minor side-issue. The main event, to my mind, is the hugely detailed and very carefully thought-out blog that Troy has posted about his life as the webmaster of the havibeenpwned site, which is hosted almost entirely on Microsoft Azure. Because he gets big (and I mean: big!) traffic spikes every time the whole password-hack thing hits the headlines, he's got a really nice, uncomplicated case study in what it actually means for a businessperson to run a site that they have to pay more for, the more it's used. If you are minded to dive in to his detailed findings, then you can read through them here

Two conclusions strike me almost straight away. The first is, I hope he doesn't have to pay a bean out of his own pocket to provide this global public service: If Microsoft have any PR smarts at all they should announce that he's a lifetime free Azure user, at the very least.

The second is that it's almost impossible to imagine a scenario where the same transparency of reporting of the whole of the exercise from the sources of the lists, to the databases used to secure his "white hat hacker" copies, to the way he codes the queries and then doesn't keep the data from the names that have been tested could be presented in such an easy win-win fashion. There's no part of this in which the usual commercial secrecy and corporate Wise Monkey approach serves anybody's interests, and that makes for a much more persuasive and followable demo of Azure and the monitoring tools he's using, than any number of contoso.com empty examples.

Job well done, sir.

Featured Resources

Shining light on new 'cool' cloud technologies and their drawbacks

IONOS Cloud Up! Summit, Cloud Technology Session with Russell Barley

Watch now

Build mobile and web apps faster

Three proven tips to accelerate modern app development

Free download

Reduce the carbon footprint of IT operations up to 88%

A carbon reduction opportunity

Free Download

Comparing serverless and server-based technologies

Determining the total cost of ownership

Free download

Most Popular

How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

24 Nov 2021
What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

12 Nov 2021