Nihilistic Password Security Questions

Schneier on Security

Uncategorized humor passwords security questionsPosted three years ago, but definitely appropriate for the times.

Ukraine Nabs Suspect in 773M Password ?Megabreach?

Krebs on Security

In January 2019, dozens of media outlets raised the alarm about a new “megabreach” involving the release of some 773 million stolen usernames and passwords that was breathlessly labeled “the largest collection of stolen data in history.” Sanix became famous last year for posting to hacker forums that he was selling the 87GB password dump, labeled “ Collection #1. By far the most important passwords are those protecting our email inbox(es).

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Password Changing After a Breach

Schneier on Security

This study shows that most people don't change their passwords after a breach, and if they do they change it to a weaker password. Abstract: To protect against misuse of passwords compromised in a breach, consumers should promptly change affected passwords and any similar passwords on other accounts. New passwords were on average 1.3× stronger than old passwords (when comparing log 10 -transformed strength), though most were weaker or of equal strength.

Cracking Forgotten Passwords

Schneier on Security

It's "useful for cracking passwords you kinda-remember." You tell the program what you remember about the password and it tries related passwords. I learned about it in this article about Phil Dougherty, who helps people recover lost cryptocurrency passwords (mostly Ethereum) for a cut of the recovered value. cryptocurrency passwordsExpandpass is a string expansion program.

Password Manager Weaknesses Revealed

Data Breach Today

The latest edition of the ISMG Security Report describes vulnerabilities found in popular password generator apps. Plus, the evolution of blockchain as a utility and a new decryptor for GandCrab ransomware

Eliminate the Password, Eliminate the Password Problem.

The Security Ledger

Weak, stolen or reused passwords are the root of 8 in 10 data breaches. Fixing the data breach problem means abandoning passwords for something more secure. Episode 163: Cyber Risk has a Dunning-Kruger Problem Also: Bad Password Habits start at Home. biometrics Companies LastPass Passwords protocol Software Sponsors Technologies Top Stories opinion passwordBut what does passwordless authentication even look like?

4 Automated Password Policy Enforcers for NIST Password Guidelines

Data Breach Today

Automate Screening of Exposed Passwords and Password Policy Enforcement Here are four automated password policy options we recommend for NIST compliance

Study: Breach Victims Rarely Change Passwords

Data Breach Today

Researchers Call on Breached Companies to Revamp Notification Even after being notified that their personal data has been compromised in a breach, only about a third of users change their passwords - and most are not strong or unique, according to a study by researchers at Carnegie Mellon University, who call for changes in breach notification procedures

Half a Million IoT Passwords Leaked

Schneier on Security

The hacker then tried using (1) factory-set default usernames and passwords, or (2) custom, but easy-to-guess password combinations. Default passwords? dataloss internetofthings leaks passwordsIt is amazing that this sort of thing can still happen: the list was compiled by scanning the entire internet for devices that were exposing their Telnet port.

Default Password for GPS Trackers

Schneier on Security

Many GPS trackers are shipped with the default password 123456. We just need to eliminate default passwords. gps passwords trackingMany users don't change them. This is an easy win.

6 Ways Passwords Fail Basic Security Tests

Dark Reading

New data shows humans still struggle with password creation and management

Pwned Passwords, Version 6

Troy Hunt

Today, almost one year after the release of version 5 , I'm happy to release the 6th version of Pwned Passwords. The data set has increased from 555,278,657 known compromised passwords to a grand total of 572,611,621, up 17,332,964? For example, the old favourite "P@55w0rd" has gone from 2,929 occurrences to 3,069 so still a terrible password, just a little more terrible than what it was before. Pwned Passwords Have I Been Pwned

Facebook Password, Email Contact Mishandling Worsens

Data Breach Today

Millions of Instagram Users Affected by Plain-Text Password Storage Two security issues disclosed by Facebook over the past month are worse than first thought, adding to a harrowing series of data-handling mishaps by the social network. Millions of Instagram users had their plain-text passwords stored, and 1.5

4 Key Considerations for Employee Password Hardening & Compromised Password Monitoring

Data Breach Today

Traditional Methods to Thwart Successful Attacks are Becoming Less Effective The new method of weak and compromised continuous password monitoring can reduce user frustration and IT burden

‘War Dialing’ Tool Exposes Zoom’s Password Problems

Krebs on Security

But without the protection of a password, there’s a decent chance your next Zoom meeting could be “Zoom bombed” — attended or disrupted by someone who doesn’t belong. And according to data gathered by a new automated Zoom meeting discovery tool dubbed “ zWarDial ,” a crazy number of meetings at major corporations are not being protected by a password. zWarDial, an automated tool for finding non-password protected Zoom meetings.

Progress Report: FIDO's Effort to Eliminate Passwords

Data Breach Today

Andrew Shikiar Describes Alliance's Latest Initiatives and How to Overcome Barriers Andrew Shikiar, executive director at the FIDO Alliance, offers an update on the group's efforts to reduce reliance on passwords and discusses how to overcome barriers

Troy Hunt on Passwords

Schneier on Security

Troy Hunt has a good essay about why passwords are here to stay, despite all their security problems: This is why passwords aren't going anywhere in the foreseeable future and why [insert thing here] isn't going to kill them. No amount of focusing on how bad passwords are or how many accounts have been breached or what it costs when people can't access their accounts is going to change that. authentication biometrics passwords

The Risk of Weak Online Banking Passwords

Krebs on Security

If you bank online and choose weak or re-used passwords, there’s a decent chance your account could be pilfered by cyberthieves — even if your bank offers multi-factor authentication as part of its login process. Crooks are constantly probing bank Web sites for customer accounts protected by weak or recycled passwords. A screenshot of a password-checking tool being used to target Chase Bank customers who re-use passwords from other sites.

Gamifying Password Training Shows Security Benefits

Dark Reading

When picking passwords, users often fall back on certain insecure patterns, but good habits can be learned using simple games, a group of researchers find

War Declared on Default Passwords

Data Breach Today

and California are trying to ensure that as many IoT devices as possible will be out-of-the-box secure, for starters by not shipping with default passwords Initiatives in UK and California Aim to Deep-Six Poor IoT Security Practices With at least 20 billion new consumer devices set to be internet-connected by 2020, initiatives in the U.K.

Sextortion Scam Wields Stolen Passwords, Demands Bitcoins

Data Breach Today

Attackers Send a Leaked Password as 'Proof' Victim Was Hacked Scammers behind an ongoing "sextortion" campaign have been emailing a legitimate password - likely from a publicly leaked list - to victims with a threat to release a compromising video of the recipient unless they pay up in bitcoins, Barracuda Networks warns

Flipboard Resets Passwords After Database Intrusions

Data Breach Today

Hashed and Salted Usernames and Passwords Exposed News aggregator Flipboard has initiated a systemwide password reset affecting as many as 150 million users following two database intrusions. Flipboard doesn't collect ID or financial information, but users could be at risk if they have reused their Flipboard password on other services

Why Are We So Stupid About RDP Passwords?

Data Breach Today

Ransomware Gangs Keep Pwning Poorly Secured Remote Desktop Protocol Endpoints In honor of World Password Day, here's a task for every organization that uses remote desktop protocol: Ensure that all of your organization's internet-facing RDP ports have a password - and that it's complex and unique

Half a Million IoT Device Passwords Published

Schneier on Security

It's a list of easy-to-guess passwords for IoT devices on the Internet as recently as last October and November. The list, which was published on a popular hacking forum, includes each device's IP address, along with a username and password for the Telnet service , a remote access protocol that can be used to control devices over the internet. The hacker than tried using (1) factory-set default usernames and passwords, or (2) custom, but easy-to-guess password combinations.

Facebook Password, Email Contact Mishandling Deepens

Data Breach Today

Millions of Instagram Users Affected by Plain-Text Password Storage Two security issues disclosed by Facebook over the past month are worse than first thought, adding to a harrowing series of data-handling mishaps by the social network. Millions of Instagram users had their plain-text passwords stored, and 1.5

Retailer Orvis.com Leaked Hundreds of Internal Passwords on Pastebin

Krebs on Security

Orvis , a Vermont-based retailer that specializes in high-end fly fishing equipment and other sporting goods, leaked hundreds of internal passwords on Pastebin.com for several weeks last month, exposing credentials the company used to manage everything from firewalls and routers to administrator accounts and database servers, KrebsOnSecurity has learned. Microsoft Active Directory accounts and passwords.

Google Stored Unhashed G Suite Passwords for Years

Data Breach Today

Passwords Remained Encrypted for Enterprise Users Google is notifying administrators and users of its business-oriented G Suite product that the company had been storing unhashed passwords for years because of a flaw in the platform. The company believes no customer data was leaked and that all passwords remained encrypted

Report: Facebook Stored Millions of Passwords in Plaintext

Data Breach Today

Facebook Under Fresh Scrutiny Over How It Stored User Passwords Facebook has corrected an internal security issue that allowed the company to store millions of user passwords in plaintext that were then available to employees through an internal search tool

Google’s Chrome 86: Critical Payments Bug, Password Checker Among Security Notables

Threatpost

Google is rolling out 35 security fixes, and a new password feature, in Chrome 86 versions for Windows, Mac, Android and iOS users.

Password Managers Leave Crumbs in Memory, Researchers Warn

Data Breach Today

Popular Password Managers for Windows Fail to Tidy Up Before Locking Up Shop A security audit of popular password manager has revealed some concerning weaknesses. But the research shows that some password managers need to more thoroughly scrub data left in memory Luckily, none of the problems are showstoppers that should put people off using such applications.

TeamViewer Flaw in Windows App Allows Password-Cracking

Threatpost

Remote, unauthenticated attackers could exploit the TeamViewer flaw to execute code and crack victims' passwords. Vulnerabilities Web Security crack passwords CVE-2020-13699 desktop app flaw high severity flaw patch remote code execution TeamViewer TeamViewer for windows Windows

Android Malware Bypasses 2FA And Targets Telegram, Gmail Passwords

Threatpost

Hacks Malware Mobile Security Vulnerabilities Web Security 2FA Android malware infostealer Iranian threat group malware password stealer rampant kitten threat group Two Factor Authentication

Dell, Dunkin Donuts Reset Passwords After Incidents

Data Breach Today

The Impacts of Both Incidents Appear to Be Limited Dell and Dunkin Donuts have both initiated password resets after experiencing separate security incidents aimed at gaining access to customer accounts. The impacts of the attacks, however, appear to be limited

Why Was Equifax So Stupid About Passwords?

Data Breach Today

Massive Credit Bureau Stored Users' Plaintext Passwords in Testing Environment Massive, well-resourced companies are still using live customer data - including their plaintext passwords - in testing environments, violating not just good development practices but also privacy laws.

Cracking the Passwords of Early Internet Pioneers

Schneier on Security

Weakest of all was the password for Unix contributor Brian W. None of the passwords included the quotation marks.). I don't remember any of my early passwords, but they probably weren't much better. historyofcomputing historyofsecurity passwordsLots of them weren't very good : BSD co-inventor Dennis Ritchie, for instance, used "dmac" (his middle name was MacAlistair); Stephen R.

Updated FTCODE Ransomware Now Steals Credentials, Passwords

Data Breach Today

Revamped Malware Targets Browsers and Email Clients FTCODE, a ransomware strain that has been active since at least 2013, has recently been revamped to include new features, including the ability to steal credentials and passwords from web browsers and email clients, according to two research reports released this week

Pwned Passwords, Version 5

Troy Hunt

Almost 2 years ago to the day, I wrote about Passwords Evolved: Authentication Guidance for the Modern Era. Shortly after that blog post I launched Pwned Passwords with 306M passwords from previous breach corpuses. I made the data downloadable and also made it searchable via an API, except there are obvious issues with enabling someone to send passwords to me even if they're hashed as they were in that first instance. 3,768,890 passwords.

Bridging the Password Gap

Data Breach Today

Rachael Stockton of LastPass says that 81 percent of breaches are caused by weak or reused passwords. So, is it time to take a hard look at password management and consider adding some technology to the practice

Tom Jermoluk on 'The End of Passwords'

Data Breach Today

Beyond Identity Co-Founder Discusses Mission, Timing of Latest Start-Up With $30 million in funding, Silicon Valley icons Jim Clark and Tom (TJ) Jermoluk launched Beyond Identity, a new identity management platform that promises "the end of passwords."

Party Like Every Day Is World Password Day

Data Breach Today

Cause for Celebration: Microsoft Stops Recommending Periodic Password Changes Every day needs to be password security day - attackers certainly aren't dormant the other 364 days of the year. But as World Password Day rolls around again, there's cause for celebration as Microsoft finally stops recommending periodic password changes