Well that was an unusual ending. Both my mouse and keyboard decided to drop off right at the end of this week's video and without any control whatsoever, there was no way to end the live stream! Wired devices from kids borrowed, I eventually got back control and later discovered that all things Bluetooth had suddenly decided to die without any warning whatsoever. I certainly wasn't updating drivers mid-live stream or anything like that so... 🤷‍♂️

Anyway, other than that it's business as usual this week, enjoy!

References

1. The shots I'm getting with the new drone are amazing! (it's crazy how much tech is jammed into this little thing)
2. I'm disappointed that Mailchimp has stopped offering a discount for users with 2FA enabled (I'd really love to think there was an ROI for them offering the discount)
3. You'd think an Attorney General's office would have better things to do than forwarding on a complaint from someone who thinks HIBP has been breached (seriously, it'd take about 3 mins for anyone paying attention to understand what's going on)
4. Disclosing data breaches is still way too hard (people found it painful to watch a 1 hour 15 minute video of me trying to disclose to Avvo - good - that's the point - it's painful!)
5. Sponsored by: Varonis for Salesforce. Protect Salesforce data from overexposure and cyberthreats. Try it free!

For many years now, I've lamented about how much of my time is spent attempting to disclose data breaches to impacted companies. It's by far the single most time-consuming activity in processing breaches for Have I Been Pwned (HIBP) and frankly, it's about the most thankless task I can imagine. Finding contact details is hard. Getting responses is hard. Not having an organisation just automatically assume you're trying to shake them down for cash is hard. So hard, in fact, I thought I'd record the process end-to-end and share it publicly to help demonstrate just how painful the process is.

I'd filed the (alleged) Avvo breach away in the "too hard" basket a long time ago and it was only after seeing this tweet last week that a distant bell rang in my head:

@troyhunt Looks like @avvo has had a breach of their user list -- I'm getting those "you've been hacked" scam emails on my Avvo-specific address. No passwords, so I'm guessing they're hashed.

— pḧÿzömë (@phyzome) April 4, 2022

On a hunch that this wasn't going to be an easy process, I started recording and kicked off my usual disclosure process. It failed - completely - but at least now I have a complete blow-by-blow of everything I've done, who I've contacted and who I've even engaged with yet still, to no avail. Here's the whole thing:

The Avvo data breach is now searchable in HIBP. By the time I sent out notifications, they went to 20,183 individuals monitoring their accounts and a further 9,637 people monitoring domains with impacted email addresses. I'll update this post with any further relevant information if it comes up in the future.

Bit of a long one this week, just due to a bunch of stuff all coinciding at the same time. The drone is obviously the coolest one and it was interesting to hear other people's experiences with theirs. This is just super cool tech and I can't remember the last time I looked at a consumer product and thought "wow, I didn't know they could do that!" Check that out and a whole heap more in this week's video below 👇

References

1. As travel gradually resumes, there are more events you can now catch me at (stay tuned for one in Tasmania in July too)
2. It was 7 years ago today I left a 14 year career at Pfizer... (...and never once looked back!)
3. The DJI Air 2S drone is insanely awesome! (I'll keep posting to that thread as I work out how to use the thing)
4. Can't see myself doing it, but yeah, you can 3D print a frame to mount a cut up noodle to your drone (amphibious landings anyone?)
5. I really don't like password strength indicators like this (there's really nothing of practical use people can take away from them)
6. Hey, here's a blog post on how much I dislike password strength meters! (5 years later, still all true)
7. RaidForums is no more (and just like that, something else has stepped in and taken its place)
8. The North Macedonian government has become the 32nd to get access to HIBP APIs for monitoring and querying their gov domains (that's the third one in a row from that region of the world)
9. Sponsored by: Detack. Detect & prevent weak, leaked, shared passwords with EPAS, a patented, privacy compliant solution used in 40 countries. Try it free!

In my ongoing bid to make more useful information on data breaches available to impacted national governments, today I'm very happy to welcome the 32nd national CERT to Have I Been Pwned, the Republic of North Macedonia! They now join their counterparts across the globe in having free API-level access to monitor and query their government domains.

I look forward to welcoming more governments in the future and building out additional support to assist them in the wake of further data breaches.

I hope scheduling these in advance is working well for everyone, the analytics certainly suggest a much higher viewership so I'm going to keep scheduling these and refining the whole thing further. Other than that, it's same-same this week with the usual array of breaches, tech and life down under. Enjoy 😊

References

1. I keep forgetting to talk about upcoming events (that's a list of what's coming  in 2022, I'll try to remember to discuss it next week given I'm off to Sydney the week after for the Akamai event)
2. Indonesian real estate site Travelio was breached (this dates back to last year, but the data is now in HIBP)
3. Lots of crickets chirping over at Avvo (this is becoming a textbook case of why disclosure is so hard)
4. Scott wrote a great blog post on PCI DSS 4.0 (really interesting to see how much focus has shifted to defending against Magecart style attacks via compromised JavaScript)
5. Sponsored by: Varonis for Salesforce. Detect suspicious behavior and strengthen your Salesforce security posture. Try it free!

Supporting national governments has been a major cornerstone of Have I Been Pwned for the last 4 years. Today, I'm very happy to welcome the 31st government on board, Serbia! The National CERT and the Gov-CERT of the Republic of Serbia now has free and complete access to query their government domains via API.

Visibility into the exposure of government departments in data breaches remains a valuable service I'm glad to see continuing to be taken up by national CERTs.

Everyone just came for the Ubiquiti discussion, right? This is such a tricky one; if their products sucked we could all just forget about them and go on with our day. But they don't suck - they're awesome - and that makes it hard to fathom how a company that makes such great gear is responding this way to such a well-respected journo. I spend most of this week's video talking about this and perhaps what surprised me most, is even after that discussion there's a bunch of people asking product questions. It'll be interesting to see how this whole thing eventually plays out...

References

1. I bought Ari a biometric padlock for his locker as other kids were successfully guessing the PIN on his other one (now let's talk about adversaries, capabilities and impact)
2. The first Krebs story on Ubiquiti fuelled by the "whistleblower" (IMHO, Brian was pretty clear on the source of the information and it was from someone within Ubiquiti)
3. The second Krebs story explaining how it was an insider attempting to extort the company (also IMHO, this explains the nature of the source from the first story and provides appropriate context as to their motives)
4. Corey Quinn's Twitter thread was the first news I saw on the lawsuit against Brian (it's selective sections of the doc, but they certainly don't read well)
5. The Hacker News comments are actually surprisingly insightful, pointing out aspects in Ubiquiti's favour (but it does make it all feel like this boils down to "was Brian subsequently clear enough after learning more")
6. Graham Cluley's tweet may just be the most accurate description of what all this means (Ubiquiti is doing serious damage to its reputation by going down this path)
7. The Bulgarian government is now the 30th on board HIBP (the home of Telerik and Shelly 😊)
8. Sponsored by: Detack. Detect & prevent weak, leaked, shared passwords with EPAS, a patented, privacy compliant solution used in 40 countries. Try it free!

Data breaches impact us all as individuals, companies and as governments. Over the last 4 years, I've been providing additional access to data breach information in Have I Been Pwned for government agencies responsible for protecting their citizens. The access is totally free and amounts to APIs designed to search and monitor government owned domains and TLDs. Today, I'm very happy to welcome the 30th participant of this service, Bulgaria!

This is just one of many initiatives I'm pursuing to help those impacted by data breaches and I look forward to welcoming many more national governments in the future.

Wow, what a day yesterday! I mentioned at the start of this week's update that Charlotte and I jumped on a chopper with our parents to check out our wedding venue, here's the pics and I just added a video to the thread too:

Well that was amazing; chopper ride to our wedding venue for lunch with our parents. So happy to live here and have access to such a wonderful place. And such a wonderful woman in @charlottelyng 😊 🚁 💍 pic.twitter.com/NEgDxZxNeR

— Troy Hunt (@troyhunt) March 24, 2022

I talked a bunch about Okta today and shortly after, jumped in the car and turned on the latest Risky Business podcast. Have a good listen to Patrick and Adam's take on this, it's right up front in the podcast and well worth a listen. Here's this week's vid, enjoy!

References

1. The Password Purgatory website is now up and running (give it a go, it's... infuriating 🤣)
2. ZAP-Hosting was breached and heaps of chat logs leaked (their disclosure thread is a bit disjointed, but you'll get the idea)
3. The Okta breach / not breach / situation hasn't been handled well in terms of comms (the actual incident itself may be minor, it's the handling of it that's the problem)
4. The Italian government is now the 29th to jump on board HIBP (not in the bad "we got breached way", rather in the good "let's do something really useful with breach data" way)
5. Sponsored by: Varonis. Reduce your ransomware blast radius with the leader in data-first security. Try it free!

For the last 4 years, I've been providing API-level access to national government agencies so that they can search and monitor their government domains on Have I Been Pwned. Today, I'm very happy to welcome the 29th government to join the service, Italy! Via CSIRT-Italia within their National Cybersecurity Agency (ACN), they now have free access to breach data I hope will further empower them to protect their people in the wake of data breaches.

I expect to continue onboarding eligible governments and look forward to welcoming many more in the future.

So the plan was to schedule this week's session in advance then right on 17:30 at my end, go live. It mostly worked, I just forgot to press the "go live" button having worked on the (obviously incorrect) assumption that would happen automatically. Lesson learned, session restarted, we'll be all good next week 😊

References

1. Asking about IoT'ing the kids' showers led to lots of wrong answers (maybe I'm just scarred now knowing how much work is involved as soon as you touch actual plumbing in a bathroom)
2. Seeing a psych and getting help is just fine (after recording this vid, I was watching Toto Wolff on Drive to Survive and the enormous amount of pressure on him)
3. CafePress got slapped with a fine by the FTC for their 2019 breach (and deservedly so, IMHO)
4. Your email address is the primary key of your digital life, should you use different ones on different sites? (that's a link through to 1Password's Masked Email feature that leverages Fastmail, the video is a good primer)
5. Sponsored by: CrowdSec - The open-source & collaborative IPS: respond to attacks & share signals across the community. Download it for free.

Over the last 4 years, I've onboarded 28 national government CERTs onto Have I Been Pwned (HIBP) and given them free and open access to APIs that enable them to query and monitor their gov domains. This doesn't give them access to any information they can't already access via the free public domain search feature, but it makes their lives easier. Much easier.

As interest from govs has grown, it's caused me to ponder: who am I willing to give access to? Who am I unwilling to give access to? Those questions prompted a tweet earlier today:

If I was to define metrics for which governments I accepted onto @haveibeenpwned, what should they look like? Human rights? Other? And as defined by who? I need something empirical, consistent and repeatable for govs that "feel" uncomfortable. Context: https://t.co/gxwBfdOdBl

— Troy Hunt (@troyhunt) March 10, 2022

There are 2 primary factors that caused me to pose this question and I want to explain my thinking on both clearly here:

The first is the current situation with Russia and Ukraine and more specifically, the sanctions levelled at the former in recent weeks. It's not just sanctions, it's everything from McDonald's closing stores to my tweet this morning about Universal Audio blocking traffic from Russia and Belarus:

Strong stance by @UAudio against the invasion of Ukraine. Which other services are blocking traffic form Russia and Belarus? How does everyone feel about this approach, and should we see more of it? pic.twitter.com/hAWPW1WbW3

— Troy Hunt (@troyhunt) March 10, 2022

You may or may not agree with the stance these organisations have taken, but what this has highlighted is that there is a valid discussion to be had about which countries services are provided to and if there is a threshold beneath which you choose not to do business there.

The second factor is that the requests I've had from some governments simply don't "feel" right. To be clear, these requests are no different to, say, New Zealand's (just to pick the most recent one), but my own subjective view on these countries is that they fall short on many of the values that I (and probably you), hold dear. Democracy. Freedom of press and speech. The ability to choose religion, sexuality and other basic rights I take for granted in a place like Australia. But just a "feel" is insufficient and per my earlier tweet, not at all empirical, consistent or repeatable.

Of all the responses I received, this one really stood out:

There are a number of country rankings that you could consider using. Here's one
https://t.co/kA61z7NCn9

— Jeff Barnes (@mani2jeff) March 10, 2022

Jeff pointed me to the World Population Review website and in particular, the democracy ranking by country. Let me repeat the list here with the 28 governments already onboard HIBP highlighted in green:

Edit: I'll keep updating this table as more governments come on board, so the number will exceed the original 28:

Of those 28 govs, all are classified as "Full Democracy" (Norway and Australia), "Flawed Democracy" (the US and Belgium) or "Hybrid Regime" (Ukraine and Turkey). The govs I mentioned as not feeling right are all well below the highlighted ones, with each classified as an "Authoritarian Regime" and as such, I've decided to reject those governments. I won't say where the cut-off is nor will I commit to a single, easily definable threshold, but I will say that they each rated well below every highlighted gov on every measurable metric. My "feel" is amply reflected by the data.

I'm sure there will be those who feel this approach is insufficient, too much, missing appropriate data, using the wrong metrics and all sorts of other reasons. I don't expect it to be perfect nor does it need to be, what's important to me here is to describe the problem, explain my logic and have a resource I can direct both current and future requests to when I feel the gov is not a suitable fit for the offering I've made available.

Time and time again over the last 8 years, I've needed to make ethical decisions on how I alone run this service. This is just one more of those decisions and I hope I've done a good job of explaining my logic here.

Somehow this week ended up being all about Russia and Cloudflare. Mostly as 2 completely separate topics, but also a little bit around Cloudflare's ongoing presence in Russia (with a very neutral view on that, TBH). Looking back on this video a few hours later, the thing that strikes me is the discussion around what appears to be a phishing page seeking donations for Ukraine. Just listen to me try to figure this out and as I say in the vid, if I have trouble discerning phish from legit resource, how do people who don't live in this world work it out?! Easy answer - they don't, that's why phishing remains so lucrative.

Reference

1. The idea of Tesla remotely killing cars in Russia feels like a very bad one (invert that logic - what if you owned a Chinese car that could be remotely killed due to geopolitical dispute?)
2. As sure as night follows day, scam follows disaster (it's a particularly low act when it prey on good citizens appalled by the bombing of a hospital)
3. When should you deny digital services to Russian citizens? (I'm just not sure Universal Audio's decision here is anything beyond symbolic, but maybe that's enough?)
4. Password Purgatory is gonna be a whole bunch of laughs 🤣 (also, Cloudflare Pages and Workers are amazing!)
5. Sponsored by: Varonis. Reduce your ransomware blast radius with the leader in data-first security. Try it free!

I have lots of little ideas for various pet projects, most of which go nowhere (Have I Been Pwned being the exception), so I'm always looking for the fastest, cheapest way to get up and running. Last month as part of my blog post on How Everything We're Told About Website Identity Assurance is Wrong, I spun up a Cloudflare Pages website for the first time and hosted digicert-secured.com there (the page has a seal on it so you know you can trust it). Instantly, I fell in love with this method of building websites so when I came up with an idea just yesterday, I knew exactly how I wanted to build it.

Here's the idea: I've been pondering for some time how to deal with spam like this:

Somehow, this made it all the way through the Microsoft 365 spam filters, landed in my inbox and consumed some of my precious, limited, highly-valued time. I, in turn, have been considering how to not only consume the time of these spammers, but make it entertaining for all. Which led me to a moment of clarity just yesterday as I was pondering revenge tactics and, in a flash of inspiration, came up with the idea of Password Purgatory:

purgatory: a place or state of temporary suffering or misery

You know how we all hate password complexity criteria? The kind that asks for uppercase characters, numbers, but only limited special characters and so on and so forth? That's what I'm now referring to as Password Purgatory - that temporary state of misery - and that's what we're going to do to the spammers 🙂

The end product will be a page on troyhunt.com where the Michelles of the world will be directed to pitch their content. All they have to do first is create a password... The idea of the Password Purgatory service is that it's an API designed to take a password, find something wrong with it and send that back in the response. It'll start out gentle (for example, minimum length) and get increasingly bizarre. A separate service will log each attempt the spammer makes to satisfy the inane criteria and once they've finally given up in agony (fingers crossed), I'll share the results publicly. Naturally I'll ensure there's no PII involved and given folks like Michelle write about cybersecurity, it won't be a password they've reused anywhere else, so no problems there (🙄).

To really get into the community spirit (let's face it, we all bond together when screwing with spammers), I wanted to make it all open source, take PRs and make the API accessible to anyone from anywhere. My hope is that we build something awesome together and collectively make the lives of spammers just that little bit more miserable.

So, here's the whole thing, end to end and step by step.

Creating a GitHub Repo for Pages

Everything is going to deploy out of GitHub so I've spun up a public repo called "password-purgatory" under my personal account:

Clone it locally, drop in an index.html file with a logo and push it back up. This is now effectively a working website (ok, a really basic one) sitting in source control. This will be a standalone website for people that just want to play with the API I build later on (this isn't where I'll be sending Michelle). I'll also add API documentation there in due course.

Let's get it deployed!

Setting up Cloudflare Pages

Super easy stuff here, just hit the "Pages" link then "Create a project":

The first time I used Cloudflare Pages, I had to authorise it to access the GitHub repository by virtue of the Cloudflare App. Jumping back in there now, that authorisation is still in place but it's the only repo I can see:

No problem, back over to the Cloudflare Pages app on GitHub and add access to the new repo:

I could just give it access to "All repositories", but I like the idea of the principle of least privilege in terms of reducing risk so I'm sticking with "Only select repositories". Back to creating the new Cloudflare Pages site and the repo is now visible:

Time to set up builds and deployments and I'm just going to stick with all the defaults:

Maybe you don't want to deploy from main, maybe you want to choose a framework and customise the build command, whatever. For now, I just want to push a single page website so it's straight to "Save and Deploy". Thinking, thinking, 4 seconds later... done!

The live site is now addressable at password-purgatory.pages.dev:

Binding the Domain

The dev URL would normally be fine for dev purposes, but I'm live-tweeting this as I go and I want the whole thing up and working on the official domain. After the initial build above, I'm over on the project page and now into "Custom domains":

I'd already registered passwordpurgatory.com with DNSimple so the domain exists already, let's drop it in:

Finding the domain already registered, Cloudflare now needs me to update DNS to point over to their nameservers:

This is the one part of the process that feels a bit rough TBH; the "Add Site" page pops in a new tab and we're now embarking on the "classic" path to add a site to Cloudflare:

Free is good 😎

Often when you're moving a domain over to Cloudflare there'll be existing DNS records. When that's the case, they're listed in the screen below but as this is a brand new domain that's presently doing absolutely nothing, we'll ignore that and just continue (we'll add DNS records later when the domain is bound to the Cloudflare Pages resource):

Nameserver time! Cloudflare has identified the existing 4 nameservers at DNSimple and given me 2 of their own to replace these with:

How you update nameservers will depend on who your domain registrar is, but it's all pretty much the same process and it looks like this on DNSimple:

And that's it. Well, other than waiting for DNS magic to do its thing and propagate, let's head back to Cloudflare and hit that "Done, check nameservers" button. (Whilst writing that sentence, email confirmation comes through that the domain is now active.) I won't screen cap everything here, the tl;dr is that I turned on all the security things, all the auto minification things, completed the wizard then repeated the "Add a custom domain" process from earlier on. With the domain now added to Cloudflare, they're able to add the appropriate CNAME and activate it against the Pages resource:

Just pausing here for a moment, one of the really cool things about Cloudflare pages compared to more traditional hosting models is that I have no idea where it's hosted! Well, kinda - it's hosted on the hundreds of Cloudflare's edge nodes spread around the world, the point is it's not deployed to, say, the West US data centre like HIBP is. You can see this illustrated via the cf-ray response header which indicates the edge node the request was served from:

Brisbane is just up the road from me so my connection has gone a very short distance to a local instance of the site. Fire up NordVPN, connect to a Norway exit node and suddenly we're getting content from Copenhagen:

What did I have to do to get a massively geographically distributed website up and running? Nothing more than spend about 15 mins and $0 😎

Creating a Cloudflare Worker with Wrangler

Just before we jump into this, a quick note: As I completed the entire code, deployment and blog post and prepared for a celebratory beer, I learned that there's a beta of Functions within Cloudflare Pages that would simplify my implementation. Do check that out if you're going to follow in my footsteps.

This is going to be the heart of Password Purgatory, the API that receives a password and puts people through hell by demanding increasingly bizarre and infeasible criteria in order for it to be accepted. It never will be accepted - there has to be no acceptable password - hence being in purgatory 🙂

Before we go further, the pre-req is Cloudflare's Workers CLI known as "Wrangler". Installation with Node is easy and is documented on the getting started guide for workers. Get it, install it then continue. Make sure you allow Wrangler to manage the Workers in your Cloudflare account:

From the CLI on my local machine, I can now create a brand new project:

wrangler generate password-purgatory-api

This generates all the content required not just to build your own local worker, but inits a new Git repository as well:

The index.js file contains the Worker code and will look familiar if you've previously just created Workers in the browser (check out Serverless to the Max: Doing Big Things for Small Dollars with Cloudflare Workers and Azure Functions and Creating a LaMetric App with Cloudflare Workers and KV for previous examples of Workers).

Let's get to the really cool bit:

wrangler dev

This command fires up the local dev environment which by default, listens on port 8787:

Listening on http://127.0.0.1:8787

Which now means we can do this:

And there we have it - a working worker! That request is then tracked in the CLI:

[2022-03-10 11:38:24] GET password-purgatory-api.troyhunt.workers.dev/ HTTP/1.1 200 OK

Once up and running, you can jump into the Worker code and make edits:

Which the running dev environment immediately picks up on:

 Detected changes...
Script modified; context reset.

And then reflects upon next request:

As this is going to be an API returning JSON, let's tweak it a little to return the right content type in the right format:

addEventListener('fetch', event => {
  event.respondWith(handleRequest(event.request))
})

async function handleRequest(request) {
  const data = {
    message: 'Hello worker!',
  };

  const json = JSON.stringify(data, null, 2);

  return new Response(json, {
    headers: { 'content-type': 'application/json;charset=UTF-8' },
  })
}

Lastly, I'm going to push this up to GitHub into a brand new repo located at https://github.com/troyhunt/password-purgatory-api

Which now means we can do the next really cool bit:

Deploying the Cloudflare Worker from GitHub

Over in the GitHub marketplace, there's an action called Deploy to Cloudflare Workers with Wrangler which does, well, it's kinda self-explanatory. What we're going to do now is configure GitHub to watch for changes and then publish those over to the live running Worker on Cloudflare. As with the Cloudflare Pages example before, I'm going to configure the simplest possible implementation which will mean deploying from "master" (Wrangler's default branch name as opposed to "main" seen earlier when creating the repository directly in GitHub).

Before doing that, we need to give GitHub the secret Cloudflare uses to orchestrate deployments. Cloudflare's API tokens page allows you to create secrets based on templates and there's a handy one ready to go for Workers:

In configuring this, I've named the token "GitHub deployment of Password Purgatory API", selected my Cloudflare account and for the zone, the passwordpurgatory.com account I created earlier on. Once the token is created it's back to GitHub and I've created a secret called "CF_API_TOKEN" with the appropriate value:

That now sits in the public repository out of sight from anyone else, but accessible via the deployment script we're about to create:

Now for the GitHub action itself and again, all this is going to be the bare basics, simple easy go-fast version:

name: Deploy

on:
  push:
    branches:
      - master

jobs:
  deploy:
    runs-on: ubuntu-latest
    name: Deploy
    steps:
      - uses: actions/checkout@v2
      - name: Publish
        uses: cloudflare/wrangler-action@1.3.0
        with:
          apiToken: ${{ secrets.CF_API_TOKEN }}

Note the reference on the last line to the secret I created in the previous step. Save this into the ".github\workflows\main.yml", commit, push and then over in the "Actions" section of the GitHub repo where the magic has already happened:

Let's check it actually exists in Cloudflare by jumping over to the dashboard and drilling down into workers:

Success! But does it actually work? Let's drill down into it further:

The route of password-purgatory-api.troyhunt.workers.dev is generated by Cloudflare and a quick check shows exactly what we'd expect to see:

There's just one more step - defining a custom route. What I really want to do is access this API via api.passwordpurgatory.com and the first thing I'm going to need to do that is a CNAME DNS entry to create the subdomain. Over to Cloudflare's DNS settings and add a new record:

It doesn't matter that the CNAME target is the Cloudflare Pages resource, so long as it's routed to Cloudflare we're going to catch requests to the API in the next step. What we need is a route for the Worker so let's jump down to the "Workers" section of the site we're now on and create the following:

Why that route? Because I want to hit the API like this:

https://api.passwordpurgatory.com/make-hell?password=hunter2

Which works just beautifully:

Finally, just to test this end to end:

1. Added a bunch of code locally to the worker
2. Tested via the Wrangler CLI
3. Pushed to GitHub
4. Watched action run and successfully deploy
5. Checked production Worker in the Cloudflare dashboard by going to "Quick edit" and saw the changes in place
6. Tested the API in the browser

As with Pages, the Worker is also running "on the edge" and for just the same reason as with pages, that's super cool 😎

Summary

I've had a bunch of PRs between live-tweeting earlier today and pushing this blog post just now. Thank you! I'd really like to get this more intelligent; maybe there should be different "paths" for password criteria to mix it up a bit? Maybe it should differ based on the day or time? Maybe based on the requestor's country (which you can easily access via the inbound request)? The optimal approach should be one that keeps the victim trying to get the password right for as long as possible whilst simultaneously infuriating them and burning their time. Either submit your own PRs or leave comments below, I'd love to hear your ideas.

As for Michelle, let's get this code finished up over the coming days and hopefully next week, I'll start sharing spammers' painful attempts to create an acceptable password 🍿

With travel now behind me, I'm back to a stable schedule and doing these on time again. Mind you, I came home to some of the wildest weather I've ever seen here, but it was kinda cool to watch and the kids didn't complain getting days off school. Oh - and I also loaded a bunch of new data breaches this week, the Robinhood one from earlier today being particularly noteworthy with more than 5M unique email addresses. At that and more in this week's update.

References

1. The weather here got a bit crazy, check out how much dirt got dumped into the waterways (drone footage courtesy of Heather Downing)
2. So much water the kids were literally kayaking out of our boat shed (that'll happen on a king tide anyway, but the official tide height was 30cm below that so... if it ever rained like this on a king tide...)
3. I'm going with "dead as a doornail" as far as this screen is concerned (weird when "only" a 27" wide + an ultrawide is barely sufficient...)
4. Sponsored by: CrowdSec - Check out our CTI Console, monitor attacks on your network, mitigate them and get intelligence on attackers. Sign up for free.