Troy Hunt: Reusing Passwords Makes Us Our Own Biggest Threat – Interview
Troy Hunt is a well-known name in the security industry. He's the person behind Have I Been Pwned, the website where you can check if your credentials were part of any data breaches, he's a Microsoft Most Valuable Professional for Developer Security, a Pluralsight author, and he speaks at security events across the world. He even testified before the US Congress on the impact of data breaches, something that he's particularly well-versed on.
Hunt has agreed to talk with TechNadu's Gabriela Vatu for a little bit, touching on security, privacy, Have I Been Pwned, and how we've become our own biggest enemy when it comes to cybersecurity.
Gabriela: What is something you've learned over the years that you feel all Internet users should know?
Troy: I think the biggest thing that I have learned is the prevalence with which people reuse their passwords and the impact that thing has on their lives. And this is something that sort of people know but when you actually see it, when you see the data, when you see the reused passwords, and you hear the stories of how much trouble that has caused people, it's something that I think even I didn't appreciate before.
Gabriela: What do you think is the biggest threat to our cybersecurity right now? Is it some kind of ransomware or is it ourselves?
Troy: I think it's ourselves and I know this sort of repeats the previous sentence, but the biggest threat we have as individuals is this reusing of passwords. To put this in perspective, what I see time and time again is that people will sign up for lots of different services with the same password, one of them suffers the data breach, and then they start having all of these other services taken over.
And I see people lose everything from their email accounts to their iCloud accounts, to family photos and personal data, to their social media accounts, gaining access to friends; even financial accounts. This is a very serious problem and it's one that we all have control over, but unfortunately, we keep getting wrong.
Gabriela: Since we're talking about the security field, there was a lot of talk about involving Artificial Intelligence even more into the field. Do you think this is a good idea or do you think we should trace a line in the sand on how far its involvement should go?
Troy: I don't think we have much choice. I think this is something that has so many strong benefits in life; everything from healthcare through to financial. It's something that just poses a massive upside for businesses and a massive upside for consumers. I think for that reason, it will happen whether we like it or not.
One of the risks is to privacy - how much information can we figure out about people nowadays using AI. But what we're seeing as well is that, in general, our social tolerance to privacy is changing - people are much more accepting of sharing their data. The newer, younger, generation is growing up in a time where they never knew when we didn't share this much information. And the older people who probably have less tolerance are, frankly, dying. It's a younger generation. The general social consensus is changing.
Gabriela: Do you think that it has changed so much that we will allow full transparency?
Troy: Well, there's always a degree of privacy, and we have tooling that enables us to choose the level of privacy we want. We can choose the visibility of messages you put on Facebook - but that doesn't mean you're always going to have that because, of course, things can go wrong. We can also still choose how much information we want to digitize.
I've said to people before, which some don't like me saying, maybe you should choose not to take nude photos of yourself. You have that control. If you do digitize it you might have a problem. And the reason some people don't like it is because they say it's "victim blaming," they say they should be able to do whatever they want without the fear of privacy violations. Yes, they should, but they can't. This is the reality of the digital world.
Gabriela: Since one of the topics in the security world has been the Internet of Things and the many many threats - is there any type of smart devices that you wouldn't bring into your home for fear of privacy?
Troy: Most smart devices are used by my children. So, I've been involved in data breaches before that have involved IoT and one of those data breaches was connected teddy bears called Cloud Pets. And I saw all of this data collected from children exposed to the Internet.
I've got a couple of little kids and I would never put a teddy bear with a listening device in their bedroom - that's an absolutely crazy idea. That's the main thing. I have an increasingly large number of IoT things in my house, but I'm just really selective about what they are and if I actually need them. There's a lot of rubbish that you simply don't need and every connected thing does pose some degree of risk.
Gabriela: We were discussing the worst cyber attacks in the TechNadu newsroom, and we all had our opinions. What do you believe is the worst cyber attack we've seen recently - not necessarily in terms of size, but of impact?
Troy: I think Ashley Maddison is. So, Ashley Madison was about three years ago, in 2015, and one of the things that makes it the worst is that people have killed themselves because of it. So this is a breach that has led to death. It's an interesting one because people are often quite intolerant about the Ashley Madison data breach - they say "you were cheating, you deserved it."
Well, first of all, I don't think people really deserved to die over it, and secondly, I read quite a bit about Ashley Madison at the time, and one of the things I read about - and all the things that Ashley Madison members have told me - and I've learned that there are a lot of women who used that service because they tried to catch their husbands cheating on them. And then, in some of those cases, the marriages broke down and people went on to other lives. Years later these women were implicated as being adulterers because their data was in Ashley Madison.
I learned about how often community groups, even churches, were publicly shaming people that they found on the breach. They were using other services where they could search for their members of the community, and in some cases, they even put up lists on bulletin boards at their churches or schools shaming people who had been on Ashley Madison. And it's just I don't know what's wrong with people doing that.
It was a very weird thing, but it's also a cultural thing because there are some cultures that are much more accepting either about adultery or about people's right to privacy. So I think that for a very long time it will remain one of the most impactful data breaches of all.
Even in recent weeks, I've had people contact me and tell me they're still getting blackmail because of Ashley Madison and it's very automated, it's not personal - no one follows through with it - but years later and it's still impacting people's lives.
Gabriela: Tell me about your project, about Have I Been Pwned - how did you come about this project?
Troy: This was nearly five years ago now, and I was analyzing data breaches as part of the writing I was doing and I found it fascinating to see how many times the same people appeared in data breaches with things like the same credentials and I thought it would be interesting to create a service where people could figure that out.
And I initially created it and didn't think anyone would actually use it, and then it got very very big really quickly, and today it has about a quarter of a million people a day that come to the site and look for their data.
Gabriela: Did you believe it would grow so fast?
Troy: Well, you look back on it - it's five years - so it's not that fast, but it certainly has accelerated particularly over the last months, and I didn't foresee a lot of what would happen. Early last year I was even worried about the viability of the service because I was worried there were so many shady version of it - there were so many services out there which look similar, but they were selling people's personal data - they were selling birthdates and emails and passwords and other things like this. There is a lot of disrepute in the industry.
And in the space of pretty much 12 months, a lot of these shady ones disappeared, I've been invited to America to speak to the US Congress, which is a very formal recognition that I might actually have a role to play, I got a number of governments on board using this service and been happy to talk about it publicly. That's the stuff I never really would have seen, particularly the government initiatives. So the last 12 months, in particular, have been really interesting.
Gabriela: Are there any particular tools that you plan to add in the future to the Have I Been Pwned project?
Troy: It's all very incremental, and the next major thing that will happen and that I've already announced publicly is this auxiliary being built into Firefox. That will soon go live. So that will sort of be the next thing in making this data available much more broadly to a much larger audience, so that's pretty cool.
Beyond that, I've got a few ideas, but nothing I can announce yet. To be honest, at the moment, it's just taking a lot of time to process all this data that I have and trying to get as much of it out there so that people know if they've been impacted.
Gabriela: Since you mentioned Firefox, are there any companies that you feel do a good job in offering security for their users' accounts? We couldn't help but notice Google's Gmail, for instance, isn't really on your site, as well as other big names in the industry.
Troy: There are certainly many companies which you don't see on Have I Been Pwned - there's not Apple, or Microsoft, or Google - obviously, Yahoo had a major data breach, but I've never seen their data, and I don't know if I'll ever see the data. So, in that regard, there are lots of companies that aren't on there - there's only just over 300 websites.
And to answer it in a different way, there are a lot of companies out there doing really good things with security. I've partnered with 1Password, for example. 1Password is a fantastic password manager, and I really like them. I work a bit with F-Secure - I don't have any commercial in F-Secure but I use their VPN products, and they do a really good job.
In fairness, companies like Google are doing a great job at security in the browser, Microsoft is doing a good job with security around things like Office 365 and Windows. There are a lot of companies doing really innovative things and they're making it a lot harder for attackers.
Gabriela: You can blame it on Twitter for this, but I saw you just got a new iPhone. Is there a security reason behind your pick, since Android gets a lot of hacker attention, or it's just the operating system and overall product quality that helped you pick Apple?
Troy: It's a little bit of both and there's also a degree of vendor-locking, as well. I've had iPhones for the past ten years, my wife has them as well, the rest of my family has them, and of course, we bought the apps and things like that. So there's some vendor-lock-in there.
There's also the other side of it, from a product perspective, like the consistency between the iPhones, I have an iPad, I have an Apple Watch, and they all work very well together. I have PCs, I don't have a Mac, but that's ok.
And then, from a security perspective - I actually shared a tweet only yesterday or the day before that's had a lot of likes and retweets which was about the DNC in the US - Bob Lord is their new Chief Security Officer - and he was quoted saying he's making sure that everyone rolls over from Android to iPhone because of the security of it. He reasons that it's much more consistent in terms of how fast updates are pushed out, and also in terms of the older hardware being able to run the newest and greatest operating systems and patches. And this is one of the things I really like about iPhones. It's also a lot harder to get lower-level access to device features which you can do on Android, and you're also a lot less likely to load an app from an unofficial store. So this sort of security posture really is world-class, and combined with the other factors as well, I'm much more comfortable running iDevices.
Gabriela: A few months back, an Alien Vault survey among Spaceworks professionals revealed that few things changed after Wanna Cry and Not Petya in terms of the budgets assigned for cyber. You seem to be of the opinion that public shaming of security-deficient companies is a good way to obtain change. Is the public voice louder than that of in-house specialists?
Troy: Obviously, you've seen the piece I wrote about public shaming, and I think that the real crux of that is that you need to appeal to the right incentives of the organization. What I mean by that is that if I were to write a private email to a company and say "hey, you sent me my password in plain text, that wasn't cool, you're probably not storing it properly," that's just one voice and they can maybe put it on a backlog and say "maybe we should do this."
When it's public and there's an outcry, and people get upset about it, there's suddenly a different incentive because now there's a reputation motivation and companies want to protect that reputation. Part of the reason I wrote that is that I have seen people say "shaming" in a very negative way like it's a negative thing, it's beneath them, or it's improper conduct. But the thing is that it makes things happen. It's change!
Particularly when it's in the press as well - when the press is writing about this poor security posture - and journalists are calling, their priorities, their incentives change. And rightly or wrongly, shaming has a way of impacting change much more effectively than private disclosure does.
There are definitely things that need to be disclosed privately, such as a vulnerability that someone could exploit - that has to happen privately. It really is a last resort to go public.
I had an incident a couple of years ago where someone in one of my workshops discovered a vulnerability in Nissan cars, and they could pull out private data from Nissan cars. But I tried for a month to get Nissan to fix the vulnerability, and we had phone calls and emails forwards and backward, and they didn't do it. It was only when I went public that they made the change and that could have impacted the privacy of some people, but as soon as it was public, they turned the service off. And unfortunately, that's just another example where sometimes you need to get public in order to make change happen.
Gabriela: You also do courses for Pluralsight. How did you get into that?
Troy: I started that in 2012, and the reason I started doing it is because I had been writing material that would make good courses, and inevitably it does. I sort of wondered if I could maybe start to do something more independently and maybe have a little bit of choices outside of my normal day job. And I remember reading at the time about a Pluralsight author who was very successful and he was making more than a million dollars a year out of writing courses, and I thought "wow, that sounds really really cool." That's what got me started on that.
Gabriela: Is there any particular course that you enjoyed making the most?
Troy: That's a good question. I think I've done 44 courses now, so that's quite a lot. I think those that I enjoy the most - I've done a few play-by-play courses. Most of my courses are screencasts, so it's my voice talking over a screen. The play-by-plays are me talking to someone else on camera, and they tend to be much more organic, there's a lot more personality that comes through. So I do like these - they're a lot of fun.
Gabriela: What's the thing that you're most proud of in your career?
Troy: I think it's the fact that I've been able to do my own thing and find my own way. It's a very non-traditional path. It's not like going into a company, working your way up through the ranks, achieving seniority or anything like that. It's literally doing what I thought was the best thing to do at the time. It's not been a grand plan. If I went back to when I started blogging in 2009, I didn't sit there like "Ok, I'm going to go do all these things and get the life I have today." It was just like doing what I thought was the right thing to do at the time. It's a path that's not well-tread, but it's just worked out well for me.
Do you agree with Troy Hunt? Have you used Have I Been Pwned, read his blog, or followed his courses? Let us know in the comments section below. We'd also love to hear back from you on social media and you can find TechNadu on Facebook and Twitter.Â