SoylentNews is people
SoylentNews
After six years as a solo effort, Troy Hunt has found that he can no longer keep up with all the data breaches in his spare time. He's also aware that he has become a single-point-of-failure for an increasingly important service. He is, therefore, looking to sell his site https://haveibeenpwned.com/. News of this was relayed to users in a blog post and covered by threatpost in Troy Hunt Looks to Sell Have I Been Pwned:
Citing overwhelming demands on his time, Troy Hunt is looking for a buyer for his site, Have I Been Pwned (HIBP).
HIBP offers a free service for consumers wanting to know if their user names and passwords have been compromised in a data breach; it also offers commercial services that include alerts for members of identity-theft programs, enabling infosec companies to provide services to their customers, protecting large online assets from credential stuffing attacks, preventing fraudulent financial transactions, and giving governments and law enforcement assistance with investigations.
Hunt has been running the site for six years, and said in a posting on Tuesday that the sheer amount of breached information out there needing to be loaded into the database has accelerated to the point of outstripping one person's capability to keep up with it.
He noted that starting in January, with the massive Collection #1 data dump, his responsibilities in keeping HIBP afloat have spiked. This has led to him having to cut back on other things, like maintaining his social media presence on Twitter and writing technical blog posts. Even so, he's continued to travel and speak globally, upload weekly videos, and participate in industry and media events – resulting in something "very close to burnout," he said, as he tried to keep up with it all plus have a family life.
Here's hoping he can find an organization that will be as good a steward of the information as he has been.
(Score: 2, Informative) by shrewdsheep on Thursday June 13 2019, @08:37AM (5 children)
If the password hash is properly salted, how am I supposed to know the hash of my password?
If the hash has been lifted, how does this imply my password has been pwnd?
(Score: 2) by pkrasimirov on Thursday June 13 2019, @09:48AM (2 children)
I think HIBP generates and publishes unsalted hashes from the plain-text passwords that have been pwned. You can read more here: https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/#cloudflareprivacyandkanonymity [troyhunt.com]
(Score: 1, Interesting) by Anonymous Coward on Thursday June 13 2019, @12:58PM (1 child)
Unrelated to the security of the service I find the following information interesting:
The very fact that the prefix "00000" is most frequent actually makes me wonder if this indicates a weakness of that hash (the probability of that happening by chance is about 10-12, that is less likely than winning the lottery jackpot two times in a row [I've taken the German "Lotto" for the comparison, but I guess most lotteries are in similar probability ranges]).
(Score: 0) by Anonymous Coward on Friday June 14 2019, @05:15AM
I'm wondering what statistical analysis you did to confirm that. Sure it is 106 more than the mean, but the smallest was 97 less. They could both be well within the distribution, given that there are 16^5 possible buckets for the hashes to fall into; especially since he didn't give the stdev in the original post
(Score: 0) by Anonymous Coward on Thursday June 13 2019, @06:53PM (1 child)
If you already have a reason to visit the site to check if you have been pwned, why don't you just change your password instead.
(Score: 2) by Bot on Thursday June 13 2019, @10:37PM
I would also add: troy hunt is quite the name for a security researcher, is his real name dimitri or wang?
Account abandoned.