Troy Hunt is the founder of the service Have I Been Pwned, a website that millions of people visit whenever there is a data breach. An internationally recognized expert in the field of cybersecurity, Troy took some time to speak with us about good passwords, bad passwords, and the challenge of having too many passwords. Among other fascinating subjects, he also discusses the often thorny and hotly debated issue of “victim blaming” when it comes to data hacks and leaks.
To people in the tech world, and especially to those in cybersecurity, you’re something of a household name. But for those who are less familiar, tell us a bit about yourself. Let’s start with your role with Microsoft.
Well, “with Microsoft” generally implies things that it’s not. Microsoft has given me a couple of awards and recognitions, one of which is the Most Valuable Professional, which is for technical expertise. And another one is a title called Regional Director, which sounds like I work for Microsoft, but I don’t work for them, I don’t have a region, and I don’t direct anything. But it’s a very nice title. But I do a lot of events and things. So next week, for example, I’ll be in Sydney talking about their technologies and how they let you build things on the cloud. But I am entirely independent. I spend a lot of my time speaking at events around the world and training people building systems to hopefully have them not get hacked.
Of course, your real claim to fame is as the founder of the website Have I Been Pwned, which is a data breach notification service that maintains an enormous database of usernames and passwords that have been revealed in data breaches. So users can go to the site, enter a credential, and see if it’s been compromised.
Right. Many people, when they [invite me to do a] training, say that they got me there to try and not be on my website. Have I Been Pwned is a service I started just over five years ago when I was back in a corporate job, actually working for Pfizer Pharmaceuticals. And about four years ago, I went independent as well as running Have I Been Pwned.
Some of our readers might think we’re repeatedly making a typo. Can you explain the word “pwned?”
Well, it’s one of these things that’s kind of emerged out of popular culture. The origins of it allegedly go back to someone mistyping the p key instead of the o key when they were typing “owned.” It was often used in the context of playing a video game. Like if I just fragged you, “Ha, ha! You’re pwned!” So it’s become a little bit of leetspeak, for want of a better term. And honestly, when I chose that for the name of the service, that was when it was a little hobby project that I thought a few friends would use. I didn’t expect it to be something that hundreds of thousands of people a day were using and seeing this strange word. But on reflection, I’m okay with it. Because it makes it interesting.
Speaking of the number of users, in January, you revealed the largest-ever public data breach by volume, with more than 21 million unique passwords exposed. What kind of impact did that have on the site?
I had absolutely unprecedented levels of traffic. We had 5 million-plus people a day coming to the site for a couple of days there and then it was sort of 2 or 3 million after that. But there was obviously one particular point where it got a huge amount of coverage and got into a lot of the media. And that tends to drive traffic in sometimes unpredictable ways, and in massive spikes, as well.
How do you maintain such a large resource and accommodate that kind of traffic?
One of the challenges of trying to maintain anything on the internet is, “How do you make sure that you can support large volumes of traffic and have the resources there when the flood comes, but not pay for things you don’t need when the flood is not there?” And it’s only particularly due to some of the more recent technologies Microsoft has launched that it’s actually made that possible for me. During that recent spike, I never once had to think about, “Will the site fill over? Will there be enough scale?” And I also never once had to think about, “Am I going to have to have a really awkward discussion with my wife about how much the hosting is costing?” So in spite of its nature, it’s really, really cost-effective to run something really large-scale like this. And supporting that volume of traffic is literally only costing me in the hundreds of dollars a month. That just simply wouldn’t have been possible if it was even a few years earlier than when I built it. Because this was a time where we had enough cloud computing come along that it made really large-scale implementations of databases and websites and things accessible at really, really low prices. So a lot of the Microsoft relationship I have is due to me using their platform as a bit of a showcase of how big you can make things for very, very little money. So I’ve got a lot of pleasure out of sort of saying, “How big can I make Have I Been Pwned while still keeping it at a ridiculously low cost?” And this is something that’s evolved over the last five-and-a-bit years, where I’ve gradually migrated things into other technologies that Microsoft has.
Let’s talk about cybersecurity a bit more conceptually, especially as it relates to one central recurring debate when it comes to data breaches. Certainly this came up in January when you exposed that big breach. Each time one of these things hits, we hear some people objecting to an emphasis in the press and elsewhere on individual behavior being the key to preventing breaches. You have people saying, “Why is the onus on us, as individuals? We’re not the ones getting hacked. It’s these huge companies to which we’ve entrusted our data.” What do you think about that point of view?
You know, I think there’s actually a fascinating discussion here about that. And I often hear this question asked in a very binary fashion. People are like, “Okay, who’s responsible? Is it the company or is it the individual? Tell me now! Which one? And then we’ll direct all of our anger there.” And the reality of it is that it’s not a binary situation. I wrote a blog post called “When Accounts Are ‘Hacked’ Due to Poor Passwords, Victims Must Share the Blame.” You know, there’ll be an account takeover. For example, someone prominent starts tweeting spam. And people are like, “Oh, Twitter’s been hacked.” And I’ll say, “No, the guy probably had a crap password. This is probably what happened.” And the hordes amass. And they descend on me and say, “You’re victim-blaming!” I was sort of playing with the “victim-blaming” term, and I wanted to write this piece because the term gets used in a very emotive fashion. We generally tend to think of victim-blaming these days as it relates to things like sexual assault, which of course is a very, very different can of worms to having an account taken over. And it almost seems that the emotion of something like sexual assault, which is usually a really, really clear-cut case in terms of where the blame lies, then sort of transcends through into this term about people’s personal security choices.
So, clearly the individual user plays a huge role here. What about the other side of the equation?
I’ve always phrased it as a shared responsibility. It’s something that we all have a role to play in. And when I say “we all,” I definitely mean the people building the system. You know, we have to make sure, for example, that we set people up for success with things like the passwords they choose. I am still amazed at the number of websites that say, “Hey, we’d like you to choose a password. Here’s a password strength calculator.” And then they will reject a long, strong password like a parsed phrase. Like if you were to take four totally random words out of the dictionary, the site will reject it because they say, “You don’t have an uppercase character.” You know? Which is just crazy. But then you can turn around and use the word “password” as your password so long as you capitalize the P and you change the a to an @ symbol and the o to a zero. Because now you’ve got uppercase, lowercase, eight characters long, and a non-alphanumeric character. These websites still let you do that. And people tend to then fall down to the lowest common denominator in terms of their personal security. That’s just one of many, many examples where websites have absolutely, positively got a role to play.
It’s crazy that that still happens.
Yes. When we hear that, we say, “Well, yes, of course, this is ridiculous. Why would you do that?” But look at it on the other side. It’s an enormously difficult challenge for a website when we say to them, “Someone might come to your site and have the correct email address and the correct password, but they are not the owner of those credentials. You shouldn’t let them log in.” That’s a really, really hard challenge. And I do have a degree of sympathy for websites that get hit with these credential-stuffing attacks [in which hackers use databases of known usernames and passwords from other sites in hopes that people have reused them on a site the hacker is trying to get into]. Now, of course the way to solve this challenge is to make sure that credentials taken from one place don’t work anywhere else. And the only way we can really reliably do that is for people to not reuse their passwords. This is the shared-responsibility component. You know, they need to make a personal-security decision.
So it’s not so much “blaming” the victim as acknowledging their responsibility.
Right. Particularly to folks who use the “victim-blaming” term, I always say, “Well, what do you do? Do you reuse your passwords? Do you use the same one everywhere?” And they’ll say, “No, of course not. I want to look after myself.“ Well, you know, there you go. Like, “This is the point. You are empowered and you have control over this.” So, perhaps rather than say, “Look, you’re at fault,” which is probably technically correct but maybe doesn’t sit well with people, we need to put it around to, “You are empowered to decide what your security posture will be.” I use a password manager. I have long, crazy passwords to everything. I’m not going to be impacted by one of these attacks like we’ve seen with loads of reused credentials, because [my credentials are] just not simply going to work anywhere.
In your work with different companies, what have been some of the glaring examples where you’ve just been aghast at how much the companies themselves have dropped the ball in terms of their responsibility?
The immediate thing that comes to mind is I did a day of talks in a bank recently here in Australia. It was one of our big, core banks with billions of dollars’ worth of revenue. It was during a Cybersecurity Awareness Day. And they had all the posters up around all the walls, you know, “Make sure you always use strong, unique passwords.” All the stuff you see in any big enterprise these days. And I was chatting to the chief information security officer. And I was like, “Do you guys give people password managers? Like, is there a corporately ratified, approved password manager on the standard operating environment, on every desktop?” And he’s like, “No.” And I said, “Well, how do you expect them to actually meet this guidance?” You know? “How do you expect tens of thousands of people in this organization to meet the guidance that you put on the wall? Even in the corporate environment, people have dozens of different passwords because they have to use all these different online services and legacy internal systems and things.” And he was kind of a bit lost for words.
Why does that still happen?
Well, in the enterprise, you see a lot of legacy thinking. Things like, for example, password rotation. For the last couple of years now, we’ve had guidance from NIST In the U.S. and from the National Cybersecurity Centre in the UK, saying, “Do not mandate password rotation.” Because when you force people to rotate their passwords, they dumb them down for ease of memory. I do these talks where I talk about the history of passwords, and I say to people, “Look. Here’s a very bad password that meets the minimum criteria.” It’s basically like “P@ssw0rd.” And I say to them, “You could go and set this in your company tomorrow and it would meet the criteria. But what’s going to happen in 90 days?” And everyone’s like, “Oh, it’ll ask me to change the password.” And I’m like, “Okay. So what are you going to do?” And everyone’s like, “I just add 1 to the number at the end.”
It’s amazing how predictable that is.
It is. Over the last couple years, we’ve seen more of a recognition that passwords and security are very much human-behavior issues as opposed to just mathematical issues. And what I mean by that is that the mathematics sort of says, “Look, if you have more character types of less predictable kinds and you use more of them, then the password will be more secure.” But like we just established, an all-lowercase four random words is going to be way stronger than eight characters with lots of different types. So it’s never really that cut-and-dry. It’s really interesting to look at how long it’s taken, particularly at enterprises where they have compliance officers with checkboxes and insurance obligations and things like this. It’s taken them a long time to catch up, and that really doesn’t help move us forward at the pace we’d like to.
You know, not to make excuses, but it seems like a lot of people are just overwhelmed. They might know, even consciously, “I shouldn’t reuse passwords. I shouldn’t use things like my name or my kid’s name or whatever. But jeez. It’s really hard to have a different password for every single different thing. Two-part authentication, that sounds complicated. And a password manager sounds even more complicated.”
I agree that it does feel overwhelming. And if it makes people relate any better, I struggle, myself. I really do. I look at the number of different accounts I have and the things that I’m trying to do with them, and it is a frickin’ mess. Let’s be honest. This is a hard thing to do. Then if you combine that with the sort of general apathy that people have, where at least until something bad happens to them, they just don’t care about it too much, I think it makes it even more difficult. Where I’m sort of seeing light, though, and positive changes, is particularly in more progressive organizations that are starting to recognize that what we need to do is try and change human behavior, rather than just try and enforce things in the workplace.
Can you give some examples?
Sure. If we kind of look back through the history of how we’ve tried to make passwords stronger, obviously there’s been the approach of uniqueness of character types and length and that sort of thing, which as we’ve discussed is frankly less and less relevant these days. One really good example of fresher thinking is products like 1Password, the password manager. They have an enterprise product they’re selling to companies so that you can control passwords centrally. When you buy that as an enterprise, everyone gets free personal licenses as well, totally detached from the enterprise, totally standalone. Their rationale was, “Look, what we need to do is we need to focus on people’s behaviors. People come into the office and they go home and they take their practices with them regardless of where they are.” And this really starts to look at things quite differently to the way it’s traditionally been, where we’ve sort of said, “Yeah, you’re at home and you only do home things. Then you go do work and you only do work things.” And it’s now starting to say, “Well, look. These are humans, and humans behave in a certain way and they take their habits with them. So let’s try and work on the humans more and improve things for them everywhere.”
That is an interesting way to address the behavioral side of it. What else have you seen companies doing to try to improve things at a real fundamental level?
There’s a bunch of different things. One thing which I’m finding works quite well, which I have a noncommercial vested interest in, involves Have I Been Pwned. There’s a concept called Pwned Passwords. There are 550 million passwords in this list that have previously been found in different data breaches. And there’s a lot of large companies now that use this list effectively as a black list, where they say, “Hey, if you want to come and sign up for our service, you can’t use this password because it’s been seen before.” There’s different shades of gray here, as well. So when I publish this list, I publish their prevalence. And if you go and look at “P@ssw0rd,” it’s been seen like 51,000 times before. I would argue that any organization should not let someone use a password that’s been seen more than 50,000 times in data breaches regardless of how mathematically strong the password is. Now, if it had been seen five times, should they? Well, that’s up to them to decide, and that will depend on the sophistication of their userbase and the value of the assets they’re protecting and any other mitigating controls that they have. But what I like about this Pwned Passwords concept is that it’s a really, really simple thing. You know, “Here’s a list of passwords that have been seen before. They’re going to be the ones that people try to break into your accounts with.” It’s really cheap to implement. It’s non-commercial. They can download the whole list and integrate it into their site. And there’s an online API that they can call with an anonymity model, and then they can integrate it into there. There’s now a whole bunch of large assets online that are using this. So you have things like Eve Online, which is a massive multiplayer game. GitHub, which has got a significant portion of the world’s code based on it. These services are now integrated to Have I Been Pwned and they use this list and they’ve stopped people using bad passwords. You know, that’s only part of what they do, but it seems to be working very well.
It makes total intuitive sense to use your data in that way.
One more thing on that, as well. There’s a company called Okta, and they’ve built a whole bunch of authentication things. They actually built an extension for Chrome, and I think there’s an add-on for Firefox, as well. When you go to a website and you enter a password, like when you’re registering or even logging on, they will actually check whether that password has appeared in breaches before. And again, they use an anonymity model. They never send me the password. And they can actually tell you there in the browser if it’s been seen before. So for your average, everyday user, that’s a really cool thing, because it works on every single site you use. The only frustrating thing about it is that if you go and log into your bank, and your bank only requires a PIN, or you log onto your frequent flier account and that only requires a PIN, it pops up every single time. Because guess what? Every single PIN ever – certainly every 4-digit PIN ever – has been in a data breach.
This has been fascinating. Any thoughts you’d like to leave us with?
I think the last thing I’d say is that whether cybersecurity is something that we take an interest in or not, it impacts all of us, because these days all of us have probably dozens of online accounts, if not hundreds in many cases. So it does impact us all. And if you get it wrong, it can be life-changing in some cases. It can have a really severe impact on people, particularly once we get into the identity theft realm. So what I’d suggest is that everyone just put aside a little bit of time to go and get themselves a password manager, maybe just create strong passwords on the most important things in the beginning. Make that investment. Turn on 2FA [two-factor authentication]. It is a time investment, but it’s a couple of hours. Do it on the weekend or something like that. Just get the ball rolling. Because it’s an easy thing to get started, and you can’t do it after it goes wrong.
Troy Hunt is an Australian cybersecurity expert, and the founder of the popular website/service, Have I Been Pwned. He creates courses for Pluralsight and is designated as a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals. Find him on the web at troyhunt.com.
Return to 74&W Exclusives.
Copyright 2018 74&WEST LLC All Rights Reserved.
Do not reproduce without written permission from 74&WEST LLC.