Password Management for Dummies

by , on


Nearly two-thirds (63%) of confirmed data breaches involve weak, default, or stolen passwords, according to a major study. So it wouldn’t be surprising if, upon discovering that a not-so-secure password like 123456 were compromised and led to a breach, the user of this password declared, “Boy, that was dumb!”

For people like this and for countless others who don’t want their data and systems compromised as the result of poor password management, relief is here. It is in the form of a concise, comprehensive, and free booklet written for all of us “Dummies.” And you can get your copy of Password Management for Dummies here.

Helping Dummies for 26 years

Everyone is familiar with the 26-year-old Dummies series, launched in 1991 with the now legendary DOS for Dummies. How good are the books in this series? Windows for Dummies has sold more than 15 million copies in multiple languages across the globe. More than 200 million Dummies titles are in print, with the switch well underway now to digital download for distribution.

All of the nearly 3,000 titles in the Dummies series have one thing in common: They make the complicated very easy to understand and put into practical use. Password Management for Dummies continues with this noble and time-tested tradition.

The beauty of Password Management for Dummies is its conciseness and simplicity. The meat of the booklet is contained in 18 pages, and it is organized into five simple chapters. Perhaps the essence of this booklet’s importance is captured in the introduction, where it states, “No matter how much you have to do to protect your (digital) assets, it’s still much easier to prevent problems up front than it is to clean up the resulting mess if you are attacked.” When it comes to cyber breaches, truer words were never written.

A source for businesses and individuals

Further, the booklet is written both for individuals seeking to prevent unauthorized access to personal files and records, as well as for small and midsize businesses. The booklet guides each of these different user constituencies through a simple risk assessment before diving headlong into a broader understanding of the importance of passwords in protecting data. Bad passwords are an open door to cybercriminals and the root cause of a majority of affirmed cyber breaches. Much of this section is reflected in a blog published earlier this year.

Given all the risks associated with poor password management by individuals and employees, Password Management for Dummies offers a candid assessment of the reasons behind bad password practices. In essence, it is just too difficult if not impossible for anyone to remember dozens of different, complex passwords needed for all the systems and sites people access without resorting to bad practices, like writing them on sticky notes or in spreadsheets.

What to look for in a great password manager

That is where Password Management for Dummies delivers its most valuable message, articulating the benefits of a trustworthy, established password management solution as well as the attributes to look for in such a system. Among these attributes are:

  • The option of using two-factor authentication, such as a password and a mobile phone alert PIN or biometric impression
  • Ability to keep track of all passwords and to automatically generate highly complex passwords that are virtually impossible to crack
  • Automatic encryption of passwords that extends to any data and files in transit that might be breached, such as videos, photos, and digital certificates
  • An encryption key that is available to the user and only to the user
  • Support for a broad range of operating systems and platforms such that the purchase of a new smartphone or laptop doesn’t necessitate using a different password manager
  • For an SMB, a management dashboard that enables an administer to quickly and easily determine the relative strength of passwords employees are using without ever having actual access to those passwords
  • The ability to safely and securely share passwords among different employees
  • Help justifying the cost of a business password management system (they are broadly available free for individuals), based largely on reduced helpdesk time resetting forgotten passwords

Cyberthieves count on a continuation of bad password practices. Keeper Security analyzed 13.5 million passwords compromised in data breaches in 2016. The three most common were 123456, 123456789, and 12345. An easy path to far better and easier and cybersecurity is just a click away.

How to Keep your Smart Phone Safe and Personal

by , on

Keep your Smart Phone Safe

George Orwell’s 1949 classic 1984 painted a dark picture of a dystopian society in which a malevolent government monitors everything its citizens say and do through a ubiquitous network of “telescreens.” What was science fiction In Orwell’s day is reality now, thanks to technology that billions of people carry around in their pockets.

Smartphone are capable of all the scary surveillance scenarios Orwell envisioned, and many more. With their built-in GPSs, cameras, microphones and connectivity to a world of cloud services, they are the best snooping devices ever invented. Knowing the scope of the threat they can pose can help you protect yourself.

Mobile devices haven’t been considered a major threat factor until recently because criminals could make more money breaching credit card and health care databases. But with the street price of those records plummeting, criminals are now turning more of their attention to attacking individuals. The explosion of ransomware attacks in 2016 is evidence of that.

While there have been few reported incidents of cyber attacks on individual smartphones so far, the threat is real. The issue gained prominence recently with the news that President Donald Trump was using an old, consumer-grade Android phone during his first week in the White House. Wired noted that a single click on a malicious link could have caused the phone to be “infected with malware that spies on the network the device is connected to, logs keystrokes, takes over the camera and microphone for surreptitious recording, and more.”

Andrew Hoog, CEO of NowSecure, a mobile security company, has been demonstrating for the past three years simple ways is to compromise a phone and download contacts, intercept and respond to text messages, activate the camera and microphone and track the device’s whereabouts to within a few feet – all without the owner’s knowledge.

“We always tell customers to assume that your mobile platform is exploitable,” Hoog noted in this webinar. He said iOS and Android are equally vulnerable.

Hacking phones still isn’t all that difficult. The BBC last year challenged two cyber security experts to rig up code that let them activate the microphone on a compromised Android phone and automatically transcribe overheard conversations. They met the challenge in less than two days.

Google and Apple have acted quickly to catch many of the most obvious vulnerabilities, but they can’t stop risky user behavior or third-party applications. NowSecure’s 2016 Mobile Security Report found that nearly one quarter of mobile apps it audited include at least one high-risk security flaw and 35% of communications sent by mobile devices are unencrypted, meaning that they can be intercepted by an intruder.

Phones present a variety of unique vulnerabilities that aren’t common to laptop or desktop computers, and new features create new tripwires. Last year a team of researchers figured out a way to embed garbled voice commands in YouTube videos that could command the phone to perform certain risky actions, such as downloading malware. With voice-enabled virtual assistants now ubiquitous, this is another scary new vulnerability point.

This video shows in frightening detail how simple it is for an attacker with root access to an Android device to use Metasploit, a popular brand of penetration testing software, to full control over the full set of phone functions, including sending text messages, capturing photos and initiating chat sessions. All in less than two minutes.

So is it time to ditch the phone, go off the grid and move to a cabin in Montana? Don’t panic yet. The cyber underworld hasn’t seemed very interested in exploiting these opportunities, at least not yet. But that could be changing. Ransomware attacks targeting Android phones grew 50% in 2016, according to ESET, LLC. There are some basic steps you can take to foil all but the most determined attackers.

Enable password security. This seems like a basic practice, but a recent survey of 1,000 mobile device users by Keeper Security found that 32% don’t enable password protection at all. Failing to take this basic step with a device that is easily pilfered from a pocket or purse is as bad as going on vacation and leaving your front door standing open. An even better practice is to enable two forms of security, such as a password accompanied by a PIN or fingerprint.

Don’t install applications from untrusted sources. This is particularly important for Android users, since protection can be turned off with a single switch. Limit downloads to known app stores or branded organizations that you know and trust.

Check permissions before installing an app. Some ask for a ludicrously high level of access compared to the functionality they provide. Should a flashlight app really have access to your phone? Think before you permit.

Don’t click links in texts unless you know the sender. Smartphones are uniquely vulnerable to phishing attacks because a sender can transmit a link by sending a text to the victim’s phone number, thus evading spam filters. Attackers may pretend to be trusted sources, such as your bank or pharmacy. If you aren’t certain of the source, don’t click the link.

Use Encrypted Messaging Services for Private Conversations – There are several free applications available for both iOS and Android that permit you and those close to you to send and receive text messages protected by powerful encryption. If your conversations may involve sensitive personal information, download and install one of these apps and ask your friends to do the same.

Don’t conduct sensitive transactions over an open Wi-Fi network. You have no way of guaranteeing that banking or credit card information is encrypted. Use public Wi-Fi only for browsing.

Don’t use public charging stations. Once you plug your phone into a USB port, an attacker can download files, install malware and monitor your keystrokes. A recently discovered threat called “video jacking” even enables them to get a peek at your phone’s display and to record everything you tap, type or view. You can avoid this risk by investing $30 in your own portable charging device.

Don’t make your Bluetooth connection discoverable. This opens you up to the risk of “bluesnarfing,” which enables the attacker to gain  access to any information or service on the device without your permission.

Orwell envisioned 24X7 surveillance as something to be imposed from the top down. He probably never envisioned that we would make ourselves vulnerable to intrusion so willingly. That would have been too strange even for science fiction.

Keeper Mobile Survey Finds Security Awareness is High, but Use of Security Apps is Lagging

by , on

Users approach security in a similar way as they do on their desktop computers. This can be a problem, given the unique vulnerability of a smartphone – the small computer that fits in your pocket.  Today, nearly 2.3 billion people use a smartphone.

Keeper conducted a detailed survey of 1,000 smartphone users to determine how they protect their devices and sensitive data. Our findings indicated that password reuse across different applications is frequent, average password strength for mobile applications and websites is low and that most users rarely changed passwords. Additionally, survey respondents rated their overall “trust” in the security of mobile carriers as being low.

Here are the highlights of the survey in an infographic.

The good news is that the risky practice of sharing passwords with others – a bad idea regardless of the platform – is relatively rare. Nearly 64% of respondents said they never share passwords, and another 29% said they share them with no more than two people.

We were also surprised to find that the practice of resetting passwords is quite common. More than 80% of responders said they have reset a password at least once within the last 60 days. Frequent password resets are considered one of the best ways to foil prospective intruders

But the practice may be driven more by necessity than by security awareness. We were surprised to find that 52% of respondents said they store passwords by remembering them. While that tactic is neither reliable nor secure, it’s better than writing passwords down on paper, a practice employed by a sizable 23% of our survey-takers.

When they forget a password, more than three-quarters of mobile users told us they can usually access their account in four or fewer attempts. Ten percent reset their password every time they log on, an awkward but effective practice.

Use of social media authentication – also called Open Authorization or “OAuth” – is common. More than three-quarters of the users we surveyed use OAuth on at least one service, and 45% use it on three or more. While OAuth rocks for convenience, it also may potentially expose personally identifiable information to third-party applications, so be careful.  

Technology is there to help, but many people don’t use it. We were surprised to find that 55% of smartphone owners have never downloaded protective software. Of the 45% who have, more than half have used an antivirus or anti-malware solution.

Reuse of the same password across multiple applications is quite common, with nearly 84% of users telling us that they access at least two different applications or websites with the same credentials. We commend the 16% who said they never engage in this practice. On the other hand, the 24% who reuse passwords across a whopping five or more applications are playing with fire. We’re also concerned about the 32% of respondents who said they don’t password-protect their phones at all. This is particularly risky behavior because hackers can turn compromised phones into listening devices or use them to track the location of the phone’s owner via the integrated GPS.

People are generally aware that they’re responsible for protecting their own information. A 46% plurality said their mobile device is the least secure device they use, followed by computers at 41% and tablets at distant third at 17%. By that logic, you would expect that people would regard tablets as their most secure devices. But that honor falls to computers, which 52% regard as their most secure device. Strangely, tablets came in a distant third here as well, at 15%.

Bottom line: Mobile devices require just as much security vigilance as desktops. Our survey indicates that people know that, but they’re not getting of the mobile tools that can guarantee peace of mind.

Limited Time Offer: Get 50% Off Keeper Unlimited as Part of the iTunes App Store Promotion

by , on

Apple has selected Keeper for a 50% off worldwide promo, on all of its app stores in all countries.

Plans covered include Keeper Unlimited and the Keeper Family Plan. Here’s how to take advantage of the promotion:

Step 1: Download Keeper on the iTunes App Store

Step 2: Upgrade via iTunes for 50% off

Hurry – this 50% off worldwide offer with Apple expires on March 4th at 6 pm PST. 

Keeper is Not Affected by Cloudflare Issue

by , on

This week it was revealed that the content delivery service provider, Cloudflare, was affected by a systemic vulnerability that leaked sensitive information from secure HTTPS connections. While the actual manifestation of the bug that caused the leak at first glance may seem relatively small, affecting an estimated 0.00003% of all requests to the Cloudflare service, this still represents a relatively large amount of data considering that Cloudflare serves traffic for over 5.5% of all websites.

To make matters worse is that some of this data has been leaked for months and some data was cached by Google, Yahoo, Bing and other search engines. The impact of this vulnerability on Cloudflare’s customers and users could stretch on for months or years as more leaked data is discovered by both cybersecurity researchers and hackers alike.

Keeper does not utilize Cloudflare or any other distributed content delivery network for the delivery of encrypted user data and, therefore, was not impacted by the Cloudflare vulnerability. Keeper is a zero-knowledge security provider – the keys to decrypt your data are always derived on the end-user device from the master password and are never transmitted over the internet. This helps ensure that, even in the event of a data leak occurring in the transport layer, your data will remain secure.

Keeper Customer Profile: Philip Leech-Ngo

by , on


PDF version here.

Cyber security becomes more important every day as hackers continue to target users for personal information that can be sold for a profit on the dark web. With more than 10 million consumers engaged with Keeper on a daily basis, we thought it would be a good idea to find out a bit more about our customers and share how Keeper helps simplify and protect their digital lives.


Why did you start using Keeper?
I’ve always found Keeper useful, but it really came into its own over the past year or so. I’ve just moved from the UK to Canada. That meant I had to set up a whole host of new accounts and online profiles to go with new job, new bank, new phone, etc. etc. not to mention all sorts of secure documentation that I needed to keep safe during the transition. Keeper was absolutely brilliant for this. Not only did it keep the my info secure, the fact that it is so convenient to use and that it integrates so naturally into by workflow, made life a lot easier and less stressful than it could have been. I’m looking forward to seeing how Keeper continues to innovate, improve and adapt over time and so that it carries on helping keep my life that little bit simpler… though I’m glad to say that I don’t think I’ll be moving to another country anytime soon!

How many passwords does Keeper store for you?

What are two benefits you get from utilizing Keeper?

1. Convenience
2. Security across platforms

Anything else that is noteworthy?

The fingerprint scanner on the phone is brilliant!

Why did you decide to start using a password manager?

About 3-4 years ago. I started with a free version but Keeper’s reputation, ability to work cross platform persuaded me to move over.

What kind of files (e.g. passport, credit card numbers, photos, license, etc.) do you store in Keeper’s encrypted vault?

Lots and lots of web-passwords and banking info. I found it very useful for keeping lots of important personal information securely given my recent experience immigrating.

What is one thing you would recommend to a new Keeper user?

Let it integrate organically with your workflow. i.e. use the browser plug-ins etc. to set and keep passwords as you normally would. You will see the benefits very soon without any hassle.

What features would you like to see added to Keeper in future versions?

Integrate with Mac OS keychain etc. so it can remember things like apple password. Also, use phone to unlock desktop application, a bit like Google does.

The Critical Elements of an Incident Response Plan for SMBs

by , on


If you work at a small or midsize business (SMB), you must presume that your organization will fall victim to a cyber attack. It is imprudent to do otherwise, given that a major study of SMBs last year found that half of all SMBs suffered data breaches involving customer and employee information in the past 12 months.

No doubt your organization has taken steps to detect and deter cybercrimes. But has your organization put in place a detailed, predetermined incident response plan for if/when a serious breach occurs?

The fact is that the responses coming from your organization both during and after an attack are as vital to the SMB as what your IT team does to restore your systems and services. But many organizations today, even big enterprises, lack a formal incident response plan. The potential damage of not having a plan can be as devastating to the organization as the attack itself.

Consider this. Following its discovery of a major breach of 500 million user records in 2014, Yahoo’s response was silence. Not a word. That data was subsequently put up for sale on the dark web. When finally the company had to go public with the breach last September, the damage to its reputation was incalculable.

Execs untrained in crisis management. One reason so many organizations get incident response wrong is that top-level executives who determine this response are usually untrained when it comes to crisis management. It isn’t often they have to make potential game-changing decisions in real time. Instead, their usual method of dealing with a crisis is to gather lots of information from lots of sources; review it all with lots of other people; and eventually respond – in days or weeks or in some cases, not at all.

That is precisely why preparing a cybercrime incident response plan has to be on the agenda for all organizations, regardless of size. Here below are some of the critical elements to consider when building such a plan.

Start by thinking of companies that got incident response right. Those of you old enough to remember will recall the Tylenol scare of 1982 when someone tampered with bottles of the pain reliever, resulting in several deaths. Tylenol’s maker, Johnson & Johnson, acted instantly to remove all Tylenol from store shelves, even though there was no evidence of any manufacturing problems. The company was widely hailed for its instant response, despite potential risks to its reputation.

Put someone in charge, before the fact. When a cybercrime or attack is detected, some predetermined individual needs to be the “point person” in charge of gathering all information on the attack, reporting and updating in plain language to the executive team, and coordinating the overall response. This could be the top IT person or data security chief, depending upon the size of the SMB and its technology staff. This person may or may not be the individual who becomes the public “face” of the company, but this public “face” needs to be determined in advance as part of the incident response plan.

Undertake a risk assessment of your data. There have been major breaches of data that is mostly or largely worthless to cybercriminals, such as data that is carefully encrypted or data of little or no strategic value. Other data, such as customer information and passwords, intellectual property files, or personal health information (PHI) is potentially highly valuable to thieves, and the theft of which can be very damaging to the organization. So when there is a successful breach, a key part of the incident response plan is matching the response to the importance of what has been hacked. This risk assessment needs to be reviewed periodically as new data and files are captured on the SMB’s systems.

Know the laws about breach disclosures. In the 50 U.S. states there are 47 different security breach disclosure laws. If you are located in one state but do business in several others, you must be aware ahead of time of each state’s disclosure laws that determine what you must disclose following discovery of a breach and how soon you need to do so.

Respond quickly and decisively after an attack. Have different parts of your plan for responding to your customers, your suppliers, your lawyers, and even to the greater public and possibly government regulators. Prioritize and properly escalate these different responses. Be certain to disclose new information as you receive it. And of course be ready to show that your SMB has taken steps—beefing up firewalls, network security and password management—to prevent a similar attack in the future.

Having a fully documented incident response plan can be very helpful in the event of litigation following a breach, as such a detailed plan can serve as proof the company was as prepared as it could be for a breach. In addition, insurance underwriters might consider discounts for companies with such a plan for handling an attack. Apart from these considerations, an incident response plan just makes sense given the great likelihood of a successful breach all SMBs face these days.

What the Most Common Passwords of 2016 List Reveals [Research Study]

by , on

most common passwords of 2016 header

By Darren Guccione, Co-founder and CEO of Keeper Security

Looking at the list of 2016’s most common passwords, we couldn’t stop shaking our heads. Nearly 17 percent of people are safeguarding their accounts with “123456.” What really perplexed us is that so many website operators are not enforcing password security best practices.

Using external, public data sources we scoured 10 million passwords from data breaches that happened in 2016. A few things jumped out:

  • The list of most-frequently used passwords has changed little over the past few years.. That means that user education has limits. While it’s important for users to be aware of risks, a sizable minority are never going to take the time or effort to protect themselves. IT administrators and website operators must do the job for them.
  • Four of the top 10 passwords on the list – and seven of the top 15 – are six characters or shorter. This is stunning in light of the fact that, as we’ve reported, today’s brute-force cracking software and hardware can unscramble those passwords in seconds. Website operators that permit such flimsy protection are either reckless or lazy.
  • The presence of passwords like “1q2w3e4r” and “123qwe” indicates that some users attempt to use unpredictable patterns to secure passwords, but their efforts are weak at best. Dictionary-based password crackers know to look for sequential key variations. At best, it sets them back only a few seconds.
  • Email providers don’t appear to be working all that hard to prevent the use of their services for spam. Security expert Graham Cluley believes that the presence of seemingly random passwords such as “18atcskd2w” and “3rjs1la7qe” on the list indicates that bots use these codes over and over when they set up dummy accounts on public email services for spam and phishing attacks. Email providers could do everyone a favor by flagging this kind of repetition and reporting the guilty parties.

We can criticize all we want about the chronic failure of users to employ strong passwords. After all, it’s in the user’s best interests to do so. But the bigger responsibility lies with website owners who fail to enforce the most basic password complexity policies. It isn’t hard to do, but the list makes it clear that many still don’t bother.

Here are the results and additional analysis of the study:



Methodology and other notes:

  • This study included 10M passwords across a variety of data breaches that occurred in 2016 (Breaches that were announced in 2016, but actually occurred prior to 2016 were not considered for this study)
  • Outliers (passwords that only appeared in 1 breach) were not considered for this study
  • The password “mynoob” only occurred in two breaches, which were gaming-related sites
  • The speed of a successful brute force attack depends on processing power
  • Keeper is zero-knowledge and has no access to user data (therefore Keeper data was not used in this study)

Security Life Hacks for the New Year

by , on


The new year is the time for resolutions, and what better way to enhance your peace of mind than to resolve to improve security? Here are some life hacks – or strategies to manage your life more efficiently – that you can adopt to improve online security, safeguard your home and protect your personal information. All are free or cost only a nominal amount.

Adopt two-factor authentication

If you read this blog regularly, you know about the benefits of using two-factor authentication (2FA). Adding a second layer of protection via a challenge question, hardware device or code sent to your mobile phone improves security by orders of magnitude.

The number of online services that use 2FA is still abysmally low, but it’s growing. The crowdsourced Two Factor Auth list tells you which websites support 2FA and what tools they use. For those that are still stuck on simple password protection, there are links to Facebook, Twitter and email accounts you can use to encourage them to get on the ball. The transportation industry still has a lot of work to do.

See if you’ve been compromised

With online credential theft now nearly an everyday occurrence, you can never afford to be complacent. These four sites help you learn if you’re a victim.

  • Have I Been Pwned? is a database of nearly two billion credentials from more than 165 hacked websites and password files. Plug in your email address and find out if your username and password may be in play. The site won’t fix the problem, but at least you’ll know where you may be vulnerable.
  • BreachAlarm is a similar service that includes a subscription component to notify you immediately if your name shows up on a compromised list.
  • Sucuri is great if you own one or more websites. Plug in the URL and it’ll scan your site for malware and also check you against blacklists.
  • The Internet of Things Scanner checks your internet-connected devices against the Shodan IoT database. If your devices are there, they’re accessible to the public – and to criminals.

Change of habit

  • Do you use public Wi-Fi in a coffee shop or library? If so, there’s a good chance the connection isn’t secure and someone sharing the network can steal your keystrokes. At the very least, make sure you use the “public network” option when connecting, turn off sharing and enable your firewall. Here’s an excellent tutorial on how to stay safe on public Wi-Fi.  
  • What would you do if your wallet and all your credit cards were lost or stolen? It takes hours to track down all those account numbers and call all those customer service numbers. Save yourself the hassle by scanning the front and back of each credit card and emailing the scans to yourself. Use the subject line to identify the credit card and you will never have a problem looking up the account or 800-number.
  • Redditor suggests that you change the way you think about security challenge questions. It’s so easy these days for attackers to find out information about you that details like your mother’s maiden name or your high school mascot are no longer very effective. Instead, treat them as a second password by adding
  • numbers or gibberish letters that make your answers impossible to guess. Or choose a response that makes no sense as answer to the question. Was your first pet really named Hong Kong?
  • Create an email address on a public service like Gmail or Hotmail that you use just for filling out forms on sites you never want to hear from again. You can then create an email filter that sends all communication to that address directly to the a seperate folder or the trash. Or if you really never want to hear from the site again, use 10 Minute Mail to create a temporary, self-destructing email address.
  • Never store credit card numbers on e-commerce sites. The minor convenience you gain is more than offset by the risk of having the customer database hacked.

Protect your privacy

  • When was the last time you reviewed your privacy settings on social networks? Cybercriminals love social profiles because they serve up all kinds of information that can be used to hack online accounts and even tip off burglars when you’re not home. has links to the privacy pages of most of the major social networks. It also shows you what the world sees when it looks at  your public Facebook page. And it has a cool list of search engines that will show you what’s out there about about yourself.
  • Here’s a great idea from Reddit for how to find out who’s selling your information. When you fill out a web form, use the name of the website as your first or middle name. That way you’ll immediately know who’s responsible for spam or unwanted promotions.
  • How much do you love tele- and robotic marketers? We thought so. Ban them forever by signing up at Nomorobo. The service keeps a massive list of known telemarketing sources and automatically sends their calls to a voice message telling them to get lost. A single land-line is free.

Physical Security

  • If you’re going away on vacation for two weeks, don’t brag about it in public on Facebook. If you just can’t resist, at least review the post privacy settings to limit visibility to your close friends.
  • While you’re away, make sure your house looks lived in. Have your mail held and lawn mowed. Leave on a couple of lights and a TV or radio. Ask a neighbor to park a car in your driveway. Ex-burglars say that’s one of the most effective deterrents you can use.
  • If you want to really get fancy, trace the outline of a body on a large piece of cardboard. Cut it out and lean it against a chair or window. Close the blinds and it’ll look like you’ve got your own personal security guard.
  • Even if you don’t have a home security system, you should put up signs and stickers saying that you do (you can easily buy them online). You’ll make burglars think twice. Throw in a couple of “Beware of dog” signs while you’re at it.

Have You Been Pwned? Troy Hunt Will Help You Find Out

by , on


If you visit Troy Hunt’s website – Have I Been – and read the often-voluminous posts on his blog, you might think he has time for little else. But the sites are just a sideline for Hunt, an Australia-based Microsoft Regional Director and MVP whose primary business is training security professionals.

Have I Been Pwned is a free resource that people can use to find out if they have been put at risk due to a data breach. As of this writing, it includes authentication data from 166 compromised websites and nearly two million accounts. Type in your email address or username and find out if you’ve been a victim (the site stores no passwords).

Hunt launched the site after 153 million Adobe accounts were breached in late 2013. He noticed that the same accounts – and passwords – were showing up across multiple incidents. He began acquiring usernames of accounts that had been compromised so people could easily learn if they’d been victimized.

Have I Been Pwned gets tens of thousands of visitors each week, and Hunt’s mailing list is approaching one million names. He uses the insight he gains from the constant back-and-forth with visitors and contributors to improve his coursework and build his profile as a security expert. It’s working; Hunt has been quoted dozens of times in global media outlets, and his blog is a must-read for people who care about cyber attacks.

We caught up with him via Skype.


This site would appear to require a huge time commitment on your part. How do you fit it in with your day job?

It’s complementary to my main business of security training. Companies tell me their goal is not to end up on the website! The time commitment can be as much as a day each week, but I also get a lot of useful information. Recently, I got 75 notifications of new breaches in one day.

For example, I learned about a big data leak at the Red Cross Blood Service in Australia that was caused when someone inadvertently published information from a database on a public web server. The same week there was another incident with a major international brand having data exposed on a website because of a partner screw-up. This is the type of thing that comes in multiple times a day.

Why do people share this information with you?  

They have all kinds of motivations. I get answers varying from exploiting the company to getting a leg up on a competitor to wanting to sell the data. Very often, no one thinks there’s anything wrong with what they’re doing. I want to tell them that they should go to their room and think about it a bit. They’ve got their hands on deeply personal information and they have no idea what that means.

Where do you get your source material?

It’s almost always someone sending me data. Some people send me dozens of files or a link to a folder with huge amounts of compromised data. Often that data is fake, so I troll through and try to verify it. Other times I get data that’s broadly redistributed – like the Ashley Madison database.

Are you surprised by the reactions from companies that have been breached?

The most positive reaction I’ve seen was from the Australian Red Cross. I got an appreciative call from the CEO. That’s what I like to see: ethical disclosure.

Then there are folks like Nissan, which had a vulnerability in their API that let attackers take control of their vehicles. At first, Nissan didn’t want to hear about it. They only came around reluctantly.

What response do you get from people who use the site to see if they’ve been pwned?

It’s 99.99% positive. I’m careful about what data I expose. You can’t search the Ashley Madison list, for example. I’m also careful not to reveal email addresses or passwords.

What has running the site taught you about the state of password security?

That some woeful practices are the norm rather than the exception. People defer to the lowest common denominator of password strength. There’s a prevalence of the “123” passwords.

Also, surprisingly few companies use multi-step verification, even though it’s a great protection against credential theft.

What is your opinion of the various alternatives to password security?

Nothing is without trade-offs. There’s password-less login via email, but emails can be delayed. QR codes can be used for authentication, but that’s asking people to do something they’re unfamiliar with. Whenever we ask people to learn an entirely new method, it’s a problem.

I love biometrics, picture logins and PINs on Windows 10. All are great, but none of them remove the underlying weakness of the password.

What do you think are the most effective steps organizations can take right now to improve security?

Better training, particularly for software developers. While I obviously have a vested interest in saying that, systems are nearly always compromised by a flaw in a process. If you give developers the knowledge to write secure programs, they’ll use it for the rest of their careers. So why pay a penetration testing company $20,000 if developers are just going to make the same mistakes again?

If you address problems when the software is being written, you get a massive benefit across the lifecycle. We understand how SQL injection and cross-site scripting works, but we still create so much stuff that’s vulnerable. The problem is education.

What has been the most rewarding aspect of running this site?

A big one has been the messages I get from people who say they wouldn’t have known about their exposure without it. I’ve also learned an awful lot about how breaches happen and about scaling a service to tens of thousands of users. One of my objectives has been to run the whole thing for less than what I spend on coffee. Using Microsoft Azure, I’ve been able to build something at scale and do it cost-effectively.

What have been the biggest surprises?

That I’ve never had any legal threats [laughs]. I suppose that’s because I’m transparent. I jump on the phone with anyone who’s concerned. The volume of interest has been a surprise. I now have about 830,000 verified subscribers, and I expect that to be one million by Christmas.

The amount of interest from enterprises and commercial vendors has been surprising, such as security companies wanting to make the API part of a commercial service. I’ve done some of these deals to build leverage.

What has done to your visibility in the security community?

After a large incident, I often get up to a dozen press calls. I get a lot of offers to speak, many of which I have to decline. That said, I’ve had five international trips this year that involved speaking.

How do you manage to blog so prolifically?

I get up very early. I often blog when I have an itch to scratch, such as when I took my iPhone in for service and they wanted me to unlock it so they could work on it. Or it’s something that I just find fascinating. I’ve found that when I write about something, I understand it better. It’s part of my learning experience as well.