Troy Hunt and havibeenpwned.com

Steve Cassidy has found a tech hero of late, in the form of Troy Hunt, the guy behind havibeenpwned.com...

security key on keyboard

The real cost of being a good guy in the password database theft saga: haveibeenpwned.com

I could get to be quite a fan of Troy Hunt. He's not a character in a BBC time-travel detective action throwback drama. He's a computer scientist, and the man behind http://havibeenpwned.com which is a handy site, into which you can type your various online usernames and email addresses, to see if they are implicated in any of the 20-odd security database loss incidents which are such a regular part of the mainstream news in late 2014.

I would hope that IT Pro readers don't need the usefulness of such a site spelling out to them: if you know someone who does, just send them over to this article where the reasons to be careful and the ramifications of using a reputable source to do your checking are discussed in detail. The only minor hint on this topic for IT Admin types is that the problem of humans re-using the same user/password pairs on multiple sites goes for work computer logins too. If someone uses P00dle97 for their Amazon account then they re quite likely to use it for their work login too.

But that's a minor side-issue. The main event, to my mind, is the hugely detailed and very carefully thought-out blog that Troy has posted about his life as the webmaster of the havibeenpwned site, which is hosted almost entirely on Microsoft Azure. Because he gets big (and I mean: big!) traffic spikes every time the whole password-hack thing hits the headlines, he's got a really nice, uncomplicated case study in what it actually means for a businessperson to run a site that they have to pay more for, the more it's used. If you are minded to dive in to his detailed findings, then you can read through them here

Two conclusions strike me almost straight away. The first is, I hope he doesn't have to pay a bean out of his own pocket to provide this global public service: If Microsoft have any PR smarts at all they should announce that he's a lifetime free Azure user, at the very least.

The second is that it's almost impossible to imagine a scenario where the same transparency of reporting of the whole of the exercise from the sources of the lists, to the databases used to secure his "white hat hacker" copies, to the way he codes the queries and then doesn't keep the data from the names that have been tested could be presented in such an easy win-win fashion. There's no part of this in which the usual commercial secrecy and corporate Wise Monkey approach serves anybody's interests, and that makes for a much more persuasive and followable demo of Azure and the monitoring tools he's using, than any number of contoso.com empty examples.

Job well done, sir.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

Misconfigured Git servers lead to Nissan data leak
hacking

Misconfigured Git servers lead to Nissan data leak

7 Jan 2021
BackupAssist teams with Wasabi to offer cheaper backup for businesses
backup

BackupAssist teams with Wasabi to offer cheaper backup for businesses

6 Jan 2021
Data: A resource much too valuable to leave unprotected
Whitepaper

Data: A resource much too valuable to leave unprotected

2 Dec 2020
Webhose and Signal Corp boost data breach detection
Security

Webhose and Signal Corp boost data breach detection

7 Oct 2020

Most Popular

IT retailer faces €10.4m GDPR fine for employee surveillance
General Data Protection Regulation (GDPR)

IT retailer faces €10.4m GDPR fine for employee surveillance

18 Jan 2021
Should IT departments call time on WhatsApp?
communications

Should IT departments call time on WhatsApp?

15 Jan 2021
Citrix buys Slack competitor Wrike in record $2.25bn deal
collaboration

Citrix buys Slack competitor Wrike in record $2.25bn deal

19 Jan 2021