War Declared on Default Passwords

Data Breach Today

and California are trying to ensure that as many IoT devices as possible will be out-of-the-box secure, for starters by not shipping with default passwords Initiatives in UK and California Aim to Deep-Six Poor IoT Security Practices With at least 20 billion new consumer devices set to be internet-connected by 2020, initiatives in the U.K.

Kanye’s Password

Roger's Information Security

Everyone and his brother, inside of infosec and outside has been chortling at Kanye’s iPhone password. how dare you share that man’s password” (it was on CNN, its out there now). how dare you password shame Kanye, at least he has a password.”.

Why Was Equifax So Stupid About Passwords?

Data Breach Today

Massive Credit Bureau Stored Users' Plaintext Passwords in Testing Environment Massive, well-resourced companies are still using live customer data - including their plaintext passwords - in testing environments, violating not just good development practices but also privacy laws.

Twitter: We Goofed; Change Your Password Now

Data Breach Today

Passwords Inadvertently Saved to Log in Plaintext Format; Twitter Blames Bug Twitter has apologized after it discovered that it had been inadvertently storing users' passwords in plaintext in an internal log, potentially putting them at risk.

The Role of Password Management

Data Breach Today

Gerald Beuchelt of LogMeIn on Overcoming Implementation Challenges Password management is a critical component of a security strategy that some organizations still find challenging, says Gerald Beuchelt of LogMeIn Inc

Pwned Passwords, Now As NTLM Hashes!

Troy Hunt

I'm still pretty amazed at how much traction Pwned Passwords has gotten this year. A few months ago, I wrote about Pwned Passwords in Practice which demonstrates a whole heap of great use cases where they've been used in registration, password reset and login flows.

Bridging the Password Gap

Data Breach Today

Rachael Stockton of LastPass says that 81 percent of breaches are caused by weak or reused passwords. So, is it time to take a hard look at password management and consider adding some technology to the practice

ThreatList: Password Hygiene Remains Lackluster in Global Businesses

Threatpost

Password-sharing persists, but at least multifactor authentication usage is up. Hacks Most Recent ThreatLists Privacy Web Security global businesses LastPass mfa multifactor authentication password hygiene password sharing security score the report threatlist

Good Password Hygiene Requires Behavior Changes and Password Managers

PerezBox

The importance of using complex, long and unique passwords. The post Good Password Hygiene Requires Behavior Changes and Password Managers appeared first on PerezBox. For years I advocated the importance of good hygiene.

I've Just Launched "Pwned Passwords" V2 With Half a Billion Passwords for Download

Troy Hunt

Last August, I launched a little feature within Have I Been Pwned (HIBP) I called Pwned Passwords. This was a list of 320 million passwords from a range of different data breaches which organisations could use to better protect their own systems. In reality, this means they probably both have dogs with the same name or some other personal attribute they're naming their passwords after (also bad). Here's what it's all about: There's Now 501,636,842 Pwned Passwords.

Using a Smartphone's Microphone and Speakers to Eavesdrop on Passwords

Schneier on Security

authentication cellphones hacking passwords phones sidechannelattacksIt's amazing that this is even possible: " SonarSnoop: Active Acoustic Side-Channel Attacks ": Abstract: We report the first active acoustic side-channel attack.

Reasonably Clever Extortion E-mail Based on Password Theft

Schneier on Security

Imagine you've gotten your hands on a file of e-mail addresses and passwords. You convince the owners of the password to send you money. I recently saw a spam e-mail that ties the password to a porn site. I do know, yhhaabor, is your password.

86% of Passwords are Terrible (and Other Statistics)

Troy Hunt

A couple of months ago, I launched version 2 of Pwned Passwords. In other words, once a password has appeared in a data breach and it ends up floating around the web for all sorts of nefarious parties to use, don't let your customers use that password! Now, as I say in the aforementioned blog post (and in the post launching V1 before it), it's not always that black and white and indeed outright blocking every pwned password has all sorts of usability ramifications as well.

Password Expiration

Roger's Information Security

FTC Chief Technologist Lorrie Cranor wrote in March it is time to reconsider mandatory password changes. Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases. And even if a password has been compromised, changing the password may be ineffective, especially if other steps aren’t taken to correct security problems.). I like to use a password manager.

How to lose your password

Thales Data Security

The tsunami of passwords that exist across every aspect of our digital life means that there’s a thriving underground industry of cyber-criminals trying to get at them. This time passwords were lightly protected by the 1970s-era DES algorithm.

Pwned Passwords V3 is Now Live!

Troy Hunt

Over recent weeks, I've begun planning the release of the 3rd version of Pwned Passwords. If you cast your mind back, version 1 came along in August last year and contained 320M passwords. I made all the data downloadable as SHA-1 hashes (for reasons explained in that post) and stood up a basic API to enable anyone to query it by plain text password or hash. We'll start with the raw numbers: in total, there are 517,238,891 passwords which is 15.6M

How to Change Your Twitter Password Right Now

WIRED Threat Level

On World Password Day, Twitter discloses a major gaffe that left user passwords potentially vulnerable. Security

Calif. Law Takes Aim at Weak IoT Passwords

Threatpost

Government IoT Vulnerabilities Web Security AB-1906 admin California California Consumer Privacy Act CCPA GDPR General Data Protection Regulation Passwords SB-327 ShodanConcerns over data privacy and security push California to roll out the first legislation on connected devices.

Password Management

PerezBox

The year is 2017 and we continue to give advice on the process of creating passwords. The phrase “These are the tips to creating a secure password” Read More. The post Password Management appeared first on PerezBox.

The Series 5 YubiKey Will Help Kill the Password

WIRED Threat Level

The latest batch of hardware-based tokens from Yubico will eventually let you skip the password altogether. Security

Enhancing Pwned Passwords Privacy by Exclusively Supporting Anonymity

Troy Hunt

When I launched Pwned Passwords in August , I honestly didn't know how much it would be used. I made 320M SHA-1 password hashes downloadable and also stood up an API to query the data "as a service" by either a plain text password or a SHA-1 hash. I launched V2 in February and pumped the number of passwords up to just over half a billion. On 1 June 2018, all Pwned Password API endpoints that don't enforce anonymity will be retired.

Time to Change Your Password!

The Texas Record

Isn’t it fun to use different passwords for all of the dozens of accounts you use and just when you think you’ve got them memorized you’re forced to change them every few months? The standards on password usage are changing.

Employees Share Average of 6 Passwords With Co-Workers

Dark Reading

Password-sharing and reuse is still prominent, but multifactor authentication is on the rise, new study shows

Lenovo Fixes Hardcoded Password Flaw Impacting ThinkPad Fingerprint Scanners

Threatpost

Lenovo said nearly a dozen ThinkPad and ThinkCentre laptops contain a hardcoded password flaw. Cryptography Privacy Vulnerabilities hard-coded password Lenovo Lenovo Fingerprint Manager Pro Password ThinkPad ThinkPad Yoga

Why So Many People Make Their Password 'Dragon'

WIRED Threat Level

The mythical creature's popularity says a lot about the psychology of password creation. Security

Revamp of ‘Pwned Passwords’ Boosts Privacy and Size of Database

Threatpost

Troy Hunt has expanded his Pwned Passwords tool with 80 million more passwords, to help users find if their passwords have been compromised. Privacy Web Security bad passwords clear text credentials Have I Been Pwned Onliner Spambot Dump Pwned Passwords

Pwned Passwords in Practice: Real World Examples of Blocking the Worst Passwords

Troy Hunt

Back in August, I pushed out a service as part of Have I Been Pwned (HIBP) to help organisations block bad passwords from their online things. I called it "Pwned Passwords" and released 320M of them from real-world data breaches via both a downloadable file and an online service. For example, the list MAY include, but is not limited to: Passwords obtained from previous breach corpuses. Seen a password in a data breach before?

Sextortionists Shift Scare Tactics to Include Legit Passwords

Threatpost

The scam emails offer, as proof of compromise, a password associated with the target’s online accounts. Privacy Web Security data breach Fraud Password scam emails sextortion tactics

Get a Password Manager. Here's Where to Start

WIRED Threat Level

How important are password managers? Even their flaws double as reminders why you need one. Security

Microsoft Deletes Passwords for Azure Active Directory Applications

Dark Reading

At Ignite 2018, security took center stage as Microsoft rolled out new security services and promised an end to passwords for online apps

Twitter Urges Users to Change Passwords Due to Glitch

Threatpost

A glitch caused Twitter passwords to be stored in plain text on an internal log. Vulnerabilities Web Security Data Privacy data protection social media twitter Twitter data twitter password

Replay Sessions From Mixpanel and Others Have Recorded Passwords

WIRED Threat Level

Analytics services are unintentionally collecting a mass of passwords and other sensitive data, new research shows. Security

How Long is Long Enough? Minimum Password Lengths by the World's Top Sites

Troy Hunt

I've been giving a bunch of thought to passwords lately. Some won't let you paste a password. I particularly focused on how today's thinking is at odds with many of the traditional views of how passwords should be handled. That post has a lot of guidance from the NCSC in the UK and NIST in the US and it debunked many of those long-held beliefs; get rid of complexity rules, allow long passwords, let people paste them and move away from forced rotation.

Community Channel’s Natalie Tran on Password Policy

Roger's Information Security

The post Community Channel’s Natalie Tran on Password Policy appeared first on Roger's Information Security Blog. General Passwords

MPs admit to sharing passwords

IT Governance

It only takes one password to fall into the wrong hands for cyber criminals to be able to access your systems and networks and cause harm. Sharing passwords often occurs because team members trust one another and share the workload, but what would happen if one of those employees turned rogue?

More Than Half of Users Reuse Passwords

Dark Reading

Users are terrible at passwords and the problem is only getting worse, according to an expansive study of more than 100 million passwords and their owners

Study 59

Take These 7 Steps Now to Reach Password Perfection

WIRED Threat Level

Admit it: Your passwords aren't great. But if you fix them up, you'll have a solid first-line digital defense. Security

'Password Check Required'? Not So Fast

Dark Reading

The most successful phishing emails tell users to check their passwords or investigate security alerts

Wanna Get Away – Generals Password

Roger's Information Security

The General’s password is ihatemyjob1. Not a bad password. If the password file is compromised, this wouldn’t be enough to prevent breaking the hash. For accounts where a password safe can be used to ease login, random would be better. The General’s password is echoed to the screen. Typical security controls require that your password not be displayed on the screen. I see this was posted 3 months ago to Youtube, but its new to me.

The Trouble with Politicians Sharing Passwords

Troy Hunt

In this case, that secret is her password and, well, just read it: My staff log onto my computer on my desk with my login everyday. To be fair to Nadine, she's certainly not the only one handing her password out to other people. In fact I often forget my password and have to ask my staff what it is. Passwords are regularly changed. There is no need to share your password for them to access your email.

Millions of Office 365 Accounts Hit with Password Stealers

Dark Reading

Phishing emails disguised as tax-related alerts aim to trick users into handing attackers their usernames and passwords

Hacking WiFi Password in a few steps using a new attack on WPA/WPA2

Security Affairs

A security researcher has devised a new WiFi hacking technique that could be exploited to easily crack WiFi passwords of most modern routers. An attacker can obtain the WPA PSK (Pre-Shared Key) password from the PMKID. ’ The time to crack the password depends on its complexity. “At

Your Password Is 12345? Password FAIL

JKevinParker

It's hard to fathom why people don't get that 12345, 123456, and other similarly stupid passwords make their own information and their organization's info much less secure. Do better with passwords!