Why ‘Have I Been Pwned’ is not a security solution (And it never will be)
If there is one thing that everyone can agree on, it is that the number of data breaches caused by and resulting in an alarming number of compromised credentials is growing. Another point that everyone can all agree on is that something desperately needs to be done about it. What almost nobody can agree on is how to address this growing problem to make it go away.
With more than 127,000 followers on Twitter and more than 2 million subscribers to the popular Have I Been Pwned (HIBP) website, one might believe that the service created by Troy Hunt is an unquestionable success in the cybersecurity world. But numbers alone don’t tell the whole story and are certainly not enough to build a business case to use the service. It’s the same thing that our parents told us when we were kids, “Just because everyone else is doing something, doesn’t mean you have to do it too.”
Looking at market and environmental factors happening today, the good news about the marketing engines in the world is that they work and they make a lot of noise. The bad news is they work and make a lot of noise. With the unprecedented amount of compromised credentials and other sensitive data floating around online about us, there is no surprise why everyone thinks that HIBP is solving a problem by notifying people when there is a new data breach that affects them.
It should be noted that what HIBP does compared to what commercial offerings in this space are doing is vastly different. They are so different, in fact, that HIBP cannot be considered to be a security solution. The trend nowadays is for a cybersecurity company to say that they use the APIs of the free HIBP service and suddenly they receive credibility and recognition for being forward-thinking and taking an innovative approach to a cybersecurity problem.
Here are a few of the important reasons why I believe HIBP is not a security solution, why using HIBP can give a false sense of protection and why alternative commercial offerings should be considered.
HIBP doesn’t retain un/pw pairs
The most important feature that is missing from HIBP is that it doesn’t preserve passwords when collecting them from credential leaks and hacker databases. It is true, Troy waxes poetic on the reasons why he doesn’t make passwords available via the HIBP service but the reasons supplied — such as not having secure enough storage — are simply no longer valid concerns in 2019 as commercial providers have addressed this through the use of data masking, zero-knowledge proof protocols and secure enclaves for credential verification.
Imagine going to a doctor and being told that you have a tumor on your brain but not being told whether it’s malignant or benign. What would you do in that situation? You would do what every other living human being would do and find a new doctor!
The ability to not only detect — but to verify — whether the password being used is weak, stolen or otherwise compromised is the killer feature of any identity threat intelligence service provider operating in this space today. Imagine going to a doctor and being told that you have a tumor on your brain but not being told whether it’s malignant or benign. What would you do in that situation? You would do what every other living human being would do and find a new doctor! It’s not enough to know whether you have a tumor, or not. To be of any value, an insight must be actionable in the here and now and foster a better understanding of the risk to users and the business.
Missing this one killer feature, the HIBP service is nothing more than a password blacklist at best, and empty calories in the worst-case scenario.
Lacking in innovation
When you look at innovation in our world today, less than 2% of the start-ups are ever worth anything that matters. Not all innovation is the same and nonconformist innovation has clearly not been applied to the HIBP service strategy. In the 2016 book Play Bigger, the authors explain how legendary entrepreneurs (referred to as “category kings” in the book) have achieved serial success in their careers and built great enduring companies. The authors argue that, “A single cool product launched into the universe doesn’t make a category king. Category kings take it upon themselves to design a great product, a great company and a great category at the same time. A category king willfully defines and develops its category, setting itself up as the company that dominates that category for a long time.”
Applying this same rigor in thinking and to a critical assessment of the HIBP service, what can we find out?
Does HIBP have a great product?
Troy started building the HIBP service in 2013, and as of this writing in 2019 it is still missing the most important capability of other commercial offerings in this space, which is the ability to verify if users’ passwords are weak, compromised or stolen.
It can also be said that HIBP’s Pwned Passwords API is not the first to use K-Anonymity to protect the privacy of passwords during verification, and which may or may not be violating a pending US patent. In a previous version of the API, when it released a list of 320 million hashed passwords in September of 2017, it was caught by researchers who noticed that the dump contained personally identifiable information when the credentials were reversed, even linking the hash to the owner of the password. Uh oh.
Is HIBP’s service supported by a great company?
Troy runs the HIBP service and doesn’t require anyone to pay for it, although he accepts donations for a little as the price of a cup of coffee up to, perhaps, a large enough donation to make his boat payment. By his own admission, he spends about four hours per week maintaining the service. With no interest in innovation or partnering with other companies, there appears to be no viable long-term business strategy here other than to use the service to build his personal reputation to gargantuan proportions and collect on the sales of speaking fees and donations.
Big data analytics, artificial intelligence and zero knowledge proofs have enhanced identity threat intelligence and automated protection capabilities in ways that HIBP can only dream of.
Is HIBP a category king?
Since its early days, HIBP has helped create awareness about the reality and frequency of data breaches in the real world, and their impacts to businesses and individuals alike. A steady and reliable stream of analysis about data breaches, combined with public shaming (which I will get to in a moment) helped put Troy and his HIBP service on the map. We have established that HIBP is neither the killer product nor the great company we would expect and lacks many features that commercial offerings have developed since early 2018 onward. Big data analytics, artificial intelligence and zero knowledge proofs have enhanced identity threat intelligence and automated protection capabilities in ways that HIBP can only dream of. In a nutshell, everyone knows that everyone else has been pwned already, but that is the most that HIBP can tell you. In a post-breach world, where we assume that we are pwned already, the free HIBP service just feels outdated and redundant.
The consistency and reliability of Troy’s analysis of data breaches is impressive. But the value of the HIBP service and any company whose offering relies on HIBP as a source of intelligence is questionable.
Mr. “Nice Guy” on the one hand
According to billionaire Mark Cuban, “One of the most underrated skills in business right now is being nice” but in Troy’s world that is not true. It has never been and will never be so. Everyone is hunting to feed their family first and to satisfy the demands of their investors second.
One side of Troy’s public persona is that of Mr. Nice Guy. HIBP is free. Download this data dump for free (regardless of how many identities are revealed in the dump). Use this API for free. Read analysis of recent data breaches. All for free. Tell your neighbor to check if her email has leaked on haveibeenpwned.com for free. Free is not always free, and [checking HIBP after a breach] puts consumers in a defensive posture instead of an offensive one.
Unsolicited advice is almost always for the sender’s ego, not for the receiver’s benefit.
The other side of Troy that we see online, and arguably that which helped him to become famous in the first place, is his determination to publicly shame companies and their customer service representatives when confronted with vulnerabilities such as leaked credentials. Troy seems to get pleasure from outsmarting hired hands who respond to public facing support issues and attributes their lack of knowledge and expertise to incompetence at a corporate level. Rushing to stereotype the corporation as incompetent because of the infirmity of a customer support rep (not hard to do because Troy is a high IQ individual) is a hasty generalization. Unsolicited advice is almost always for the sender’s ego, not for the receiver’s benefit.
Nobody, not even the government, has hired or authorized Troy to be the judge, jury and executioner. Proclaiming that shaming is appropriate and in everyone’s best interest doesn’t make it so. It is a very selfish and egocentric impulse.
At the end of the day, “people hate dealing with jerks” says Cuban. “It’s always easier to be nice than to be a jerk. Don’t be a jerk.”
In other words, keep unsolicited advice to oneself, follow protocol and use a bug bounty program, but don’t make a discovery about your ego and reputation.
Conclusion
In the world of value exchange today, Harvard Business Review sets the pace when it says in a the November 2013 article that “the new environment favors creative and adaptable sellers who challenge customers with disruptive insights into their business–and offer unexpected solutions.” What business and security leaders need to understand is that HIBP is not a security solution at all. In fact, organizations who use APIs or data from HIBP will ultimately have a false sense of security because it is lacking and redundant compared to leading solutions in the space today.
It is a problem that leaked credentials allow hackers to access protected systems and sensitive information that they aren’t supposed to. It is a problem that a database of billions of stolen credentials becomes a cyber weapon that causes trillions of dollars in damages, and even upending democracy itself. It is a problem that HIBP is ill equipped to try to solve.
Breach notification is inadequate and outdated. Cybersecurity leaders and other stakeholders should accept nothing less than modern identity threat intelligence, fully integrated with global identity providers and remediation that is automated, protecting users from themselves and cyber criminals from being successful with credential spraying and account takeover attacks.
