Collective Intelligence Podcast, Troy Hunt on Changing Password Behaviors
By Mike Mimoso
Passwords, death, and taxes, none of them are ever going away. Even Troy Hunt has conceded as much.
Hunt’s Have I Been Pwned website recently turned 5 years old, and for much of that time it has been the definitive place for computer users to determine their exposure from data breaches. Have I Been Pwned is also a model for usability in security, enabling a free and clearly spelled out answer as to whether account information has been compromised, where, and how. Hunt hopes that it and its sister service Pwned Passwords continue to be the catalyst for improved behaviors online.
In this episode of the Collective Intelligence Podcast, Hunt discusses the brief but impactful history and challenges of running his site and not only how it’s grown into one of the top 5,000 sites on the Internet, but also how many critical web-based services have integrated its data via an API to improve privacy and security.
Hunt also discusses the latest iteration of the NIST guidelines for passwords which feature three recommendations: remove regularly mandated password changes, and complexity requirements, and finally, blacklist commonly used passwords or passwords known to have been compromised in breaches. Hunt cautions there is some nuance to the last recommendation—which can help deter credential stuffing attacks, for example.
Pwned Passwords has more than a half-billion passwords in its database, each with a prevalence next to it, Hunt explains, which should guide decisions as to whether to ban passwords compromised once in an obscure breach versus [email protected] which may show up in Pwned Passwords tens of thousands of times.
“My suggestion to people trying to implement this blacklist has always been to figure out where the sweet spot is” Hunt said in the podcast. “I defy anyone to tell me that password that has been seen 52,000 times should ever be used by one of their customers. Now a password that has been seen once, different story.”
Finding the right balance might be to set thresholds and present verbiage to the user that their chosen password might not be the best choice if it ticks a reasonable threshold. For passwords compromised fewer than 10 times, Hunt suggests perhaps silently flagging that record and in the event of a future account takeover attack, there might be an indication of a root cause.
Hunt also discusses the ease of use surrounding biometrics, such as Apple’s Touch ID and Face ID or numerous fingerprint readers authenticating users to laptops, all of which allow users to authenticate in front of others without having to hide a secret, such as a password.
Hunt also discusses the viability of password managers, and how they help slow down the scourge of password reuse across multiple online services, and closes with some words of the future of Have I Been Pwned.
The Collective Intelligence Podcast, presented by Flashpoint and hosted by Editorial Director Mike Mimoso, features regular interviews with a diverse set of industry experts and Flashpoint analysts on the latest information security news and industry trends.
Michael Mimoso brings over a decade of experience in IT security news reporting to Flashpoint. As Editorial Director, he collaborates with marketing, analyst, and leadership teams to share the company’s story. Prior to Flashpoint, Mike was as an Editor of Threatpost, where he covered security issues and cybercrime affecting businesses and end-users.
Prior to joining Threatpost, Mike was Editorial Director of the Security Media Group at TechTarget and Editor of Information Security magazine where he won several ASBPE national and regional writing awards. In addition, Information Security was a two-time finalist for national magazine of the year. He has been writing for business-to-business IT publications for 11 years, with a primary focus on information security.
Earlier in his career, Mike was an editor and reporter at several Boston-area newspapers. He holds a bachelor’s degree from Stonehill College in North Easton, Massachusetts.