Security, Passwords and Data Breach Services – Troy Hunt

by Dr Nick

The Incrementalist Graphic Troy Hunt

In the lead up to BlackHat and DefCon conferences, I am talking to one of the leaders in the space of security and the innovator who created and runs the outstanding security resource HaviBeenPwned (HIBP) Troy Hunt (@TroyHunt). He is an author of multiple top-rated courses on web security on Pluralsights and highly sought after speaker.

The Ethics of a Data Breach Service

We talk about the journey to this point in his career of security and how this all started in a hotel in the Philippines when he built the solution in response to frustration with the security challenges he was facing. He has thought long and hard about the ethics of building a data breach service that could be used for nefarious purposes. In fact like most things you can find Troy’s thinking in detail and publicly available in one of his many insightful posts – in this instance “The Ethics of Running a Data Breach Search Service”. Balancing the good, and incremental approach to security that lives in a simple easily accessible database and UI is hard to beat

Returning an immediate answer to someone who literally asks the question “have I been pwned?” is enormously powerful. The immediacy of the response addresses a question that’s clearly important to them at that very moment and from a user experience perspective, you simply cannot beat it.

But there are complicating issues and Troy has and continues to work to improve the risks associated with this database and he spends a lot of time and energy validating the breach data he receives.

Passwords are Here to Stay

Listen in to find out his top piece of advice on how you should be protecting your data and services in the age of the ever-expanding number of passwords – he like the other security experts (NIST, Bruce Schneier etc) are clear that password changes should not be mandated unless there is a reason to believe the password has been compromised (and minimum password length recommendations appear unscientific and wildly inconsistent)  and if you must enforce complexity rules you must also provide a way for the human brain to manage this (hint – this is not something our brains and memory are good at).

Make sure to hear his suggestions for businesses on how they should help their employees approach security and keeping everyone best prepared and the additional security requirement that should be included in every system being secured.

Listen live at 4:00 AM, 12:00 Noon or 8:00 PM ET, Monday through Friday for the next two weeks at HealthcareNOW Radio. After that, you can listen on demand (See podcast information below.) Join the conversation on Twitter at #TheIncrementalist.

Listen along on HealthcareNowRadio or on SoundCloud

You can also follow me here on medium, on twitter, or on facebook or Sign up to receive my posts each week

Comments 1
Leave a comment



This site uses Akismet to reduce spam. Learn how your comment data is processed.