The Timing, the Treatment, the Question: Comparison of Epidemiologic Approaches to Minimize Immortal Time Bias in Real-World Data Using a Surgical Oncology Example

Background: Studies evaluating the effects of cancer treatments are prone to immortal time bias that, if unaddressed, can lead to treatments appearing more beneficial than they are. Methods: To demonstrate the impact of immortal time bias, we compared results across several analytic approaches (dichotomous exposure, dichotomous exposure excluding immortal time, time-varying exposure, landmark analysis, clone-censor-weight method), using surgical resection among women with metastatic breast cancer as an example. All adult women diagnosed with incident metastatic breast cancer from 2013–2016 in the National Cancer Database were included. To quantify immortal time bias, we also conducted a simulation study where the “true” relationship between surgical resection and mortality was known. Results: 24,329 women (median age 61, IQR 51–71) were included, and 24% underwent surgical resection. The largest association between resection and mortality was observed when using a dichotomized exposure [HR, 0.54; 95% confidence interval (CI), 0.51–0.57], followed by dichotomous with exclusion of immortal time (HR, 0.62; 95% CI, 0.59–0.65). Results from the time-varying exposure, landmark, and clone-censor-weight method analyses were closer to the null (HR, 0.67–0.84). Results from the plasmode simulation found that the time-varying exposure, landmark, and clone-censor-weight method models all produced unbiased HRs (bias -0.003 to 0.016). Both standard dichotomous exposure (HR, 0.84; bias, -0.177) and dichotomous with exclusion of immortal time (HR, 0.93; bias, -0.074) produced meaningfully biased estimates. Conclusions: Researchers should use time-varying exposures with a treatment assessment window or the clone-censor-weight method when immortal time is present. Impact: Using methods that appropriately account for immortal time will improve evidence and decision-making from research using real-world data

Cracking PwdHash: A Bruteforce Attack on Client-side Password Hashing

PwdHash is a widely-used tool for client-side password hashing. Originally released as a browser extension, it replaces the user’s password with a hash that combines both the password and the website’s domain. As a result, while the user only remembers a single secret, the passwords received are all unique for each site. We demonstrate how the hashcat password recovery tool can be extended to allow passwords generated using PwdHash to be identified and recovered, revealing the user’s master password. A leak from a single website can therefore compromise a user’s account on other sites where PwdHash was used. We describe the changes made to hashcat to support our approach, and explore the impact this has on speed of recovery.David Llewellyn-Jones thanks the European Research Council for funding this research through grant StG 307224 (Pico). Graham Rymer thanks the Cabinet Office/OCSIA for their financial support