Pwned Passwords, Version 5

Troy Hunt

Almost 2 years ago to the day, I wrote about Passwords Evolved: Authentication Guidance for the Modern Era. Shortly after that blog post I launched Pwned Passwords with 306M passwords from previous breach corpuses. 3,768,890 passwords. Have I Been Pwned Pwned Passwords

Risks of Password Managers

Schneier on Security

Stuart Schechter writes about the security risks of using a password manager. It's a good piece, and nicely discusses the trade-offs around password managers: which one to choose, which passwords to store in it, and so on. My own Password Safe is mentioned.

Flipboard Resets Passwords After Database Intrusions

Data Breach Today

Hashed and Salted Usernames and Passwords Exposed News aggregator Flipboard has initiated a systemwide password reset affecting as many as 150 million users following two database intrusions.

Google Stored Unhashed G Suite Passwords for Years

Data Breach Today

Passwords Remained Encrypted for Enterprise Users Google is notifying administrators and users of its business-oriented G Suite product that the company had been storing unhashed passwords for years because of a flaw in the platform.

Password Manager Weaknesses Revealed

Data Breach Today

The latest edition of the ISMG Security Report describes vulnerabilities found in popular password generator apps. Plus, the evolution of blockchain as a utility and a new decryptor for GandCrab ransomware

Slack Initiates Mass Password Reset

Threatpost

Breach Cloud Security Hacks Privacy 2015 incident credential harvesting data breach password reset security breach SlackMore victims of a 2015 credential-harvesting incident have come to light.

Password Managers Leave Crumbs in Memory, Researchers Warn

Data Breach Today

Popular Password Managers for Windows Fail to Tidy Up Before Locking Up Shop A security audit of popular password manager has revealed some concerning weaknesses. But the research shows that some password managers need to more thoroughly scrub data left in memory

Facebook Password, Email Contact Mishandling Worsens

Data Breach Today

Millions of Instagram Users Affected by Plain-Text Password Storage Two security issues disclosed by Facebook over the past month are worse than first thought, adding to a harrowing series of data-handling mishaps by the social network. Millions of Instagram users had their plain-text passwords stored, and 1.5

Dell, Dunkin Donuts Reset Passwords After Incidents

Data Breach Today

The Impacts of Both Incidents Appear to Be Limited Dell and Dunkin Donuts have both initiated password resets after experiencing separate security incidents aimed at gaining access to customer accounts.

Facebook Password, Email Contact Mishandling Deepens

Data Breach Today

Millions of Instagram Users Affected by Plain-Text Password Storage Two security issues disclosed by Facebook over the past month are worse than first thought, adding to a harrowing series of data-handling mishaps by the social network. Millions of Instagram users had their plain-text passwords stored, and 1.5

Surprising Password Guidelines from NIST

Data Breach Today

NIST Cyber Security Framework NIST guidelines often become the foundation for best practice recommendations across the security industry and are incorporated into other standards

Which are the worst passwords for 2018?

Security Affairs

Which are the worst passwords for 2018? SplashData report confirms that 123456 is the most used password for the 5th year in a row. Below the 2018 top 10 most used passwords are: 123456 password 123456789 12345678 12345 111111 1234567 sunshine qwerty iloveyou.

Google Stored G Suite Passwords in Plaintext Since 2005

Threatpost

Google said it had stored G Suite enterprise users' passwords in plain text since 2005 marking a giant security faux pas. Cloud Security G Suite Gmail google google cloud google security Password password store plain text

Troy Hunt on Passwords

Schneier on Security

Troy Hunt has a good essay about why passwords are here to stay, despite all their security problems: This is why passwords aren't going anywhere in the foreseeable future and why [insert thing here] isn't going to kill them. authentication biometrics passwords

Party Like Every Day Is World Password Day

Data Breach Today

Cause for Celebration: Microsoft Stops Recommending Periodic Password Changes Every day needs to be password security day - attackers certainly aren't dormant the other 364 days of the year. But as World Password Day rolls around again, there's cause for celebration as Microsoft finally stops recommending periodic password changes

War Declared on Default Passwords

Data Breach Today

and California are trying to ensure that as many IoT devices as possible will be out-of-the-box secure, for starters by not shipping with default passwords Initiatives in UK and California Aim to Deep-Six Poor IoT Security Practices With at least 20 billion new consumer devices set to be internet-connected by 2020, initiatives in the U.K.

Sextortion Scam Wields Stolen Passwords, Demands Bitcoins

Data Breach Today

Attackers Send a Leaked Password as 'Proof' Victim Was Hacked Scammers behind an ongoing "sextortion" campaign have been emailing a legitimate password - likely from a publicly leaked list - to victims with a threat to release a compromising video of the recipient unless they pay up in bitcoins, Barracuda Networks warns

Twitter: We Goofed; Change Your Password Now

Data Breach Today

Passwords Inadvertently Saved to Log in Plaintext Format; Twitter Blames Bug Twitter has apologized after it discovered that it had been inadvertently storing users' passwords in plaintext in an internal log, potentially putting them at risk.

Over 23 million breached accounts were using ‘123456’ as password

Security Affairs

A cyber survey conducted by the United Kingdom’s National Cyber Security Centre (NCSC) revealed that ‘123456’ is still the most hacked password. million user accounts worldwide were using ‘123456’ as password, while 7.7 SecurityAffairs – Top breached passwords, hacking).

Passwords Advice

Adam Shostack

Bruce Marshall has put together a comparison of OWASP ASVS v3 and v4 password requirements: OWASP ASVS 3.0 & 4.0 Comparison. This is useful in and of itself, and is also the sort of thing that more standards bodies should do, by default. It’s all too common to have a new standard come out without clear diffs. It’s all too common for new standards to build closely on other standards, without clearly saying what they’ve altered and why.

A Password Management Report Card

Dark Reading

New research on password management tools identifies the relative strengths and weaknesses of 12 competing offerings

Why Was Equifax So Stupid About Passwords?

Data Breach Today

Massive Credit Bureau Stored Users' Plaintext Passwords in Testing Environment Massive, well-resourced companies are still using live customer data - including their plaintext passwords - in testing environments, violating not just good development practices but also privacy laws.

A Breach, or Just a Forced Password Reset?

Krebs on Security

Software giant Citrix Systems recently forced a password reset for many users of its Sharefile content collaboration service, warning it would be doing this on a regular basis in response to password-guessing attacks that target people who re-use passwords across multiple Web sites.

Bridging the Password Gap

Data Breach Today

Rachael Stockton of LastPass says that 81 percent of breaches are caused by weak or reused passwords. So, is it time to take a hard look at password management and consider adding some technology to the practice

Citrix Hacked by Password-Spraying Attackers, FBI Warns

Data Breach Today

Cyber-Espionage Campaign Appears Separate to Recent Credential-Stuffing Breach Citrix Systems is investigating a suspected hack attack, resulting in the theft of business documents, after being tipped off by the FBI.

Password Manager Firms Blast Back at ‘Leaky Password’ Revelations

Threatpost

Privacy Uncategorized Vulnerabilities 1Password Dashlane insecure memory KeePass LastPass Password password manager1Password, Dashlane, KeePass and LastPass each downplay what researchers say is a flaw in how the utilities manage memory.

The Role of Password Management

Data Breach Today

Gerald Beuchelt of LogMeIn on Overcoming Implementation Challenges Password management is a critical component of a security strategy that some organizations still find challenging, says Gerald Beuchelt of LogMeIn Inc

Why Are We So Stupid About Passwords? German Edition

Data Breach Today

Politicians' All-Star Password Picks: '123' and 'ILoveYou' German officials say the suspect behind the mega-leak of politicians' and celebrities' personal details exploited their weak passwords to access email, social media and cloud service accounts. What can the security industry do to help address the password problem

Sextortion Scam Uses Recipient’s Hacked Passwords

Krebs on Security

The email now references a real password previously tied to the recipient’s email address. But this one begins with an unusual opening salvo: “I’m aware that <substitute password formerly used by recipient here> is your password,” reads the salutation. That’s because there are a number of shady password lookup services online that index billions of usernames (i.e.

Troy Hunt: ‘Messy’ Password Problem Isn’t Getting Better

Threatpost

Poor password hygiene continues to plague the security industry, Troy Hunt said during Infosecurity Europe. Breach Web Security Authentication Have I Been Pwned infosecurity Europe Password password reuse Security Troy Hunt

Goodbye Passwords: Hello Identity Management

Threatpost

As passwords are increasingly viewed as security liabilities, Identity Management solutions are picking up the slack.

Citrix Falls Prey to Password-Spraying Attack

Threatpost

International cybercriminals likely exploited weak passwords on an internal network, the FBI said. Breach Cloud Security Hacks citrix FBI internal network compromise international cyberattack password spraying

Here's Why [Insert Thing Here] Is Not a Password Killer

Troy Hunt

Often it's related to data breaches or sloppy behaviour on behalf of some online service playing fast and loose with HTTPS or passwords or some other easily observable security posture. It's totally going to kill passwords! Passwords Security

Passwords: Here to Stay, Despite Smart Alternatives?

Threatpost

"Password-killing" authentication efforts may be on a road to nowhere. Breach Cloud Security Cryptography IoT Privacy Web Security alternatives Authentication Biometrics fido Password password killer passwords in use Troy Hunt webauthn

Beyond Passwords: 2FA, U2F and Google Advanced Protection

Troy Hunt

Last week I wrote a couple of different pieces on passwords, firstly about why we're going to be stuck with them for a long time yet and then secondly, about how we all bear some responsibility for making good password choices. I should be able to use any password I want", he lamented.

Citrix Breach Underscores Password Perils

Dark Reading

Attackers used a short list of passwords to knock on every digital door to find vulnerable systems in the vendor's network

Pwned Passwords, Now As NTLM Hashes!

Troy Hunt

I'm still pretty amazed at how much traction Pwned Passwords has gotten this year. A few months ago, I wrote about Pwned Passwords in Practice which demonstrates a whole heap of great use cases where they've been used in registration, password reset and login flows.

Google Glitch Left Passwords Unprotected for 14 Years

Adam Levin

Google announced a glitch that stored unencrypted passwords belonging to several business customers, a situation that had been exploitable since 2005. This issue has been fixed and, again, we have seen no evidence of improper access to or misuse of the affected passwords.

Houzz Urges Password Resets After Data Breach

Threatpost

The decorating website said that account usernames, passwords and more have been compromised as part of a breach. Breach Privacy breach data breach houzz Password password reset

On the Security of Password Managers

Schneier on Security

There's new research on the security of password managers, speficially 1Password, Dashlane, KeePass, and Lastpass. This work specifically looks at password leakage on the host computer. All password managers we examined sufficiently secured user secrets while in a 'not running' state.