Notices by Troy Hunt (troyhunt@infosec.exchange)

Embed this notice
Troy Hunt (troyhunt@infosec.exchange)'s status on Saturday, 29-Mar-2025 20:44:03 JST Troy Hunt

I'm writing up a blog post called "Passkeys for Normal People", which is a non-trivial exercise. For example, whilst LinkedIn "supports" passkeys, it doesn't seem to allow using them as a second factor *or* a sole factor, so you're still left with passwords and OTPs. Correct?

In conversation about a month ago from infosec.exchange permalink
Embed this notice
Troy Hunt (troyhunt@infosec.exchange)'s status on Wednesday, 19-Mar-2025 06:17:31 JST Troy Hunt
in reply to
@benjojo @dangoodin @cR0w @Viss @matthew_d_green I suggest the term “snooping” is the problem here. A huge part of the value proposition of any reverse proxy with WAF features (not just Cloudflare) is the ability to inspect traffic. By design, a service like this sits in a position where they can inspect traffic, and that’s a decision the site operator makes. Inspecting traffic then also provides the ability to report on it; I can pull back traffic stats based on the UA string, for example. There’s no explicit “consent” involved in people sending that data, just like there’s no explicit consent in them submitting a form with PII in it; it’s implied. It’s also up to the site owner to enable leaked credential check, who already has the ability to decide what happens to passwords submitted to their service whether CF exists or not: https://developers.cloudflare.com/waf/detections/leaked-credentials/
In conversation about 2 months ago from gnusocial.jp permalink
Attachments
1. Domain not in remote thumbnail source whitelist: developers.cloudflare.com
  
  Leaked credentials detection · Cloudflare Web Application Firewall (WAF) docs
  
  The leaked credentials traffic detection scans incoming requests for credentials (usernames and passwords) previously leaked from data breaches.
Embed this notice
Troy Hunt (troyhunt@infosec.exchange)'s status on Friday, 06-Dec-2024 23:26:59 JST Troy Hunt

A few years ago, I wrote a book. It was the culmination of my most important posts and the stories behind them. Writing this book also helped keep me sane during insane times, and as of today, I'm giving it away for free 😊 https://www.troyhunt.com/pwned-the-book-is-now-available-for-free/
In conversation about 5 months ago from infosec.exchange permalink
Attachments
1. Domain not in remote thumbnail source whitelist: www.troyhunt.com
  
  "Pwned", The Book, Is Now Available for Free
  
  from https://www.facebook.com/troyahunt
  
  Nearly four years ago now, I set out to write a book with Charlotte and RobIt was the stories behind the stories, the things that drove me to write my most important blog posts, and then the things that happened afterwards. It's almost like a collection of meta posts, each
Embed this notice
Troy Hunt (troyhunt@infosec.exchange)'s status on Wednesday, 04-Dec-2024 17:14:17 JST Troy Hunt
- Have I Been Pwned
Today, on @haveibeenpwned's 11th birthday, I'm happy to welcome the Armenian National Computer Incident Response Team as the 37th government to have free and open access to their gov domains. More here: https://www.troyhunt.com/welcoming-the-armenian-government-to-have-i-been-pwned/
In conversation about 5 months ago from infosec.exchange permalink
Attachments
1. Domain not in remote thumbnail source whitelist: www.troyhunt.com
  
  Welcoming the Armenian Government to Have I Been Pwned
  
  from https://www.facebook.com/troyahunt
  
  Today, we're happy to welcome the 37th government to have full and free access to domain searches of their gov domains in Have I Been Pwned, Armenia. Armenia's National Computer Incident Response Team AM-CERT now joins three dozen other national counterparts in gaining visibility into how data breaches impact their
Embed this notice
Troy Hunt (troyhunt@infosec.exchange)'s status on Monday, 29-Jan-2024 17:13:36 JST Troy Hunt

Y'know I hate to say I told you so, but that "Mother of all Breaches" that hit the news last week ended up being exactly what I predicted it was. What will happen next is also predictable, it's uncanny just how much history is repeating: https://www.troyhunt.com/the-data-breach-personal-stash-ecosystem/
In conversation about a year ago from infosec.exchange permalink
Attachments
1. Domain not in remote thumbnail source whitelist: www.troyhunt.com
  
  The Data Breach "Personal Stash" Ecosystem
  
  from https://www.facebook.com/troyahunt
  
  I've always thought of it a bit like baseball cards; a kid has a card of this one player that another kid is keen on, and that kid has a card the first one wants so they make a trade. They both have a bunch of cards they've collected over
Embed this notice
Troy Hunt (troyhunt@infosec.exchange)'s status on Thursday, 09-Feb-2023 19:17:25 JST Troy Hunt
- Have I Been Pwned
- Stefán Jökull Sigurðarson
Hey, it's full NTLM support in @haveibeenpwned's Pwned Passwords! We've had *heaps* of requests for this so @stebets has gone ahead and built it for you. That's now full parity with SHA-1 so you can query the k-anonymity API or just download 'em all: https://www.troyhunt.com/pwned-passwords-adds-ntlm-support-to-the-firehose/
In conversation Thursday, 09-Feb-2023 19:17:25 JST from infosec.exchange permalink
Attachments
1. Domain not in remote thumbnail source whitelist: www.troyhunt.com
  
  Pwned Passwords Adds NTLM Support to the Firehose
  
  from https://www.facebook.com/troyahunt
  
  I think I've pretty much captured it all in the title of this post but as of about a day ago, Pwned Passwords now has full parity between the SHA-1 hashes that have been there since day 1 and NTLM hashes. We always had both as a downloadable corpus but

Public

Notices by Troy Hunt (troyhunt@infosec.exchange)

User actions

Following 0

Followers 0

Groups 0

Statistics

Feeds