Troy Hunt and havibeenpwned.com

Steve Cassidy has found a tech hero of late, in the form of Troy Hunt, the guy behind havibeenpwned.com...

security key on keyboard

The real cost of being a good guy in the password database theft saga: haveibeenpwned.com

I could get to be quite a fan of Troy Hunt. He's not a character in a BBC time-travel detective action throwback drama. He's a computer scientist, and the man behind http://havibeenpwned.com which is a handy site, into which you can type your various online usernames and email addresses, to see if they are implicated in any of the 20-odd security database loss incidents which are such a regular part of the mainstream news in late 2014.

Advertisement - Article continues below

I would hope that IT Pro readers don't need the usefulness of such a site spelling out to them: if you know someone who does, just send them over to this article where the reasons to be careful and the ramifications of using a reputable source to do your checking are discussed in detail. The only minor hint on this topic for IT Admin types is that the problem of humans re-using the same user/password pairs on multiple sites goes for work computer logins too. If someone uses P00dle97 for their Amazon account then they re quite likely to use it for their work login too.

But that's a minor side-issue. The main event, to my mind, is the hugely detailed and very carefully thought-out blog that Troy has posted about his life as the webmaster of the havibeenpwned site, which is hosted almost entirely on Microsoft Azure. Because he gets big (and I mean: big!) traffic spikes every time the whole password-hack thing hits the headlines, he's got a really nice, uncomplicated case study in what it actually means for a businessperson to run a site that they have to pay more for, the more it's used. If you are minded to dive in to his detailed findings, then you can read through them here: 

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Two conclusions strike me almost straight away. The first is, I hope he doesn't have to pay a bean out of his own pocket to provide this global public service: If Microsoft have any PR smarts at all they should announce that he's a lifetime free Azure user, at the very least.

The second is that it's almost impossible to imagine a scenario where the same transparency of reporting of the whole of the exercise from the sources of the lists, to the databases used to secure his "white hat hacker" copies, to the way he codes the queries and then doesn't keep the data from the names that have been tested could be presented in such an easy win-win fashion. There's no part of this in which the usual commercial secrecy and corporate Wise Monkey approach serves anybody's interests, and that makes for a much more persuasive and followable demo of Azure and the monitoring tools he's using, than any number of contoso.com empty examples.

Job well done, sir.

Featured Resources

Key considerations for implementing secure telework at scale

Identifying the security risks and advanced requirements of a remote workforce

Download now

The State of Salesforce 2020

Your guide to getting the most from Salesforce

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Rethink your cybersecurity strategy for the new world

5 steps to secure the enterprise and be fit for a flexible future

Download now
Advertisement

Recommended

ICO to relax GDPR enforcement during coronavirus economic downturn
General Data Protection Regulation (GDPR)

ICO to relax GDPR enforcement during coronavirus economic downturn

16 Apr 2020
The NHS teams up with Apple and Google on coronavirus tracking app
privacy

The NHS teams up with Apple and Google on coronavirus tracking app

14 Apr 2020
Health sites are 'unlawfully' sharing medical data with Facebook and Google
data protection

Health sites are 'unlawfully' sharing medical data with Facebook and Google

7 Apr 2020
Supreme Court rules Morrisons was not liable for 2014 data breach
data protection

Supreme Court rules Morrisons was not liable for 2014 data breach

1 Apr 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
UN report points to a 350% rise in phishing websites at start of 2020
phishing

UN report points to a 350% rise in phishing websites at start of 2020

7 Aug 2020