![]() And the reality of it is, HIBP does lead to positive changes in people's security posture: This is where people are going to be the most open to the suggestion that they need a different way of doing passwords. But it's not just 1Password being highlighted here either, there's a call to go and turn on 2FA and also to subscribe to HIBP notifications because both of those things are very positive steps for improving one's security posture. This is that point at which the penny drops, the one where people come to that realisation of "ah, now I see the problem". This is the best place ever to be talking about password managers. Which is why it now looks like this after searching for your email address: People literally want to read "go here, do this". This question I saw on Reddit just the other day is a perfect example: ![]() I could have said "go and get a password manager", but this is barely any better as it doesn't lead them by the hand to a good one! I also could have listed just a few of the industry leaders but people being as they are and the whole paradox of choice problem (a great book, BTW!), they need more. So now what? What should she and all the normal everyday people watching that piece do? (Sidenote: awesome name for the IT expert in that piece!)īut "take appropriate action, such as changing passwords" doesn't really lead to the right behavioural change because people being as they are, they'd just go and change the password on the sites they could remember to the same lousy new password. There's a short video clip in that piece (in Dutch, but you'll get the idea), where a journalist enters her email address and finds herself in the LinkedIn data breach. HIBP has millions of unique visitors every month (sometimes spiking up to 3M per day during major security incidents), and they're all asking the same question: what do I do now? I was reminded of this on the weekend when I saw HIBP featured in the Belgian news. The vast majority of people that use HIBP are not technical like you (probably) are. There are many reasons why but I'm going to start with the most practical one first: people want actionable steps once they've found themselves pwned. Why It Makes Sense to Partner with a Password Manager Now Let me talk about why this partnership makes sense now. To that end, I think it's fair to say that the public sentiment towards HIBP has remained enormously positive. I've rejected every single one of them because I didn't want my motives to be questioned I wanted to ensure people look at this service and genuinely feel that first and foremost, it's there to help them do good things after bad events. I've had many offers to sponsor HIBP, to monetarily reward me for product placement and indeed to buy the service outright. As soon as there's money involved, motives are questioned people will assume the core objective is to monetise the service and clearly with those more nefarious offerings, that was precisely the MO. In that post, I talked about more nefarious operators working in the same space as HIBP purely to cash in on the misfortune of others. There's no way to sugar-coat this: HIBP only exists due to a whole bunch of highly illegal activity that has harmed many individuals and organisations alike The very first sentence of that blog post was this: That blog post had been in the works for many months before this partnership was conceived of, but I ultimately decided to get it out before this announcement to help explain my thinking. Just last week, I wrote about the legitimisation of HIBP. The Intent of HIBP Has to Remain Beyond Reproach I want to talk about why that is, what's changed and what the new partnership looks like. This is the first of its kind for me and I've actively avoided anything of this nature until now. ![]() Today, I'm announcing a partnership between HIBP and 1Password. That post was my own personal wakeup call it was the very point where I observed that what we all needed to do was to "liberate ourselves from the tyranny of passwords", as I said at the time, and that's precisely what I did: I went and bought 1Password and I've been using it every single day since across all my devices. The strength of most passwords is terrible. In an era well before the birth of Have I Been Pwned (HIBP), I was doing a bunch of password analysis on data breaches and wouldn't you know it - people are terrible at creating passwords! Of course, we all know that but it's interesting to look back on that post all these years later and realise that unfortunately, nothing has really changed. The penny first dropped for me just over 7 years ago to the day: The only secure password is the one you can't remember. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |