Troy Hunt has published the hashes of 306,000,000 passwords that have been breached. And exposed it as a web service.
This lets you tell a user if a given password has appeared in a breach. You send the service a hash of the password, and Troy’s web service responds if that hash has appeared in a breach.
Why is that useful? You can pro-actively inform users if their password has been breached (and recorded in haveibeenpawned) at either registration or login. You may want to block users from using that password, or you could just warn them.
Continue reading “Check Users Passwords during Registration/Login”
It fascinates me, but it seems like a lot of developers don’t know a lot about cryptography. Certainly, the litany of security bloopers caused by incorrectly implemented crypto makes it appear that way.
Encryption isn’t something that I work with every day, but as a web developer you can’t really get away from needing to secure something – and that means encryption.So, to overcome some of this it’s worth a bit of reading.
Bruce Schneier is a pretty interesting author. His books on Applied Cryptography and Practical Cryptography are excellent, and well worth a read for anyone starting to work with crypto. His blog is also an interesting discussion of security and risk in a wider context.
Troy Hunt has managed to write a number of posts that have grabbed my attention over the year or so. “Lessons in web site security anti-patterns” is just that, “A brief Sony password analysis” is fascinating, and “Our password hashing has no clothes” was eye opening. I like that his posts are strongly based on systematic analysis.
Cryptography on StackExchange can be interesting. It’s where I first heard of scrypt, which is quite interesting.
Anyway, I’ll try and update this if I find new, useful resources, or post your own favourites in the comments.