Skip to main content

Posts

Showing posts from December, 2018

A word about my Have I Been Pwned package

Yesterday evening I posted a Tweet about improving user entered passwords using Troy Hunt's service Have I Been Pwnd.

It went viral over night with many likes and retweets. But I also got a ton of questions regarding the usage and the security of this package. It turns out many people are scared to send passwords over the internet and are afraid to just use a package (like mine) for password checking.




Just to give you an idea of how Have I Been Pwnd service works, I created this little diagram to visualise how I'm using the service.

A user enters their password in our registration or password renewal form. We create a SHA1 hash from it and send the first 5 characters of that hash to HIBP. We get a list of hashes back and a count of how many times this hash has been found in the HIBP database. On our server we lookup the remaining hash against the list we received from HIBP and if there's a match, we return the count back to the user.

No passwords are sent in the clear ove…

The challenge for 2019 has just got real

I am a regular listener to the Security Weekly Podcasts Network, that includes Hack Naked News, Business Security Weekly, Enterprise Security Weekly, Secure Digital Life and Application Security Weekly. I really love their shows and over the years I've been listening to them, I learned a lot about business leadership, communication and security. If you're in tech, I can highly recommend listening to their podcasts. And since I'm always on the go, these are great shows to listen to while driving around.

But… and here it comes: for some reason they have a love-hate relationship with PHP, where their disliking of the technology is omnipresent in their shows. Particularly in their Application Security Weekly they love to pick on PHP and blame it for all the evil that exists on the internet. On one hand, I cannot blame them since the strength of PHP lies in the fact that anyone can write a dynamic website within a few minutes. The downside is also that anyone can write a dynam…