Password Manager Weaknesses Revealed

Data Breach Today

The latest edition of the ISMG Security Report describes vulnerabilities found in popular password generator apps. Plus, the evolution of blockchain as a utility and a new decryptor for GandCrab ransomware

Password Managers Leave Crumbs in Memory, Researchers Warn

Data Breach Today

Popular Password Managers for Windows Fail to Tidy Up Before Locking Up Shop A security audit of popular password manager has revealed some concerning weaknesses. But the research shows that some password managers need to more thoroughly scrub data left in memory

Troy Hunt on Passwords

Schneier on Security

Troy Hunt has a good essay about why passwords are here to stay, despite all their security problems: This is why passwords aren't going anywhere in the foreseeable future and why [insert thing here] isn't going to kill them. authentication biometrics passwords

Dell, Dunkin Donuts Reset Passwords After Incidents

Data Breach Today

The Impacts of Both Incidents Appear to Be Limited Dell and Dunkin Donuts have both initiated password resets after experiencing separate security incidents aimed at gaining access to customer accounts.

Which are the worst passwords for 2018?

Security Affairs

Which are the worst passwords for 2018? SplashData report confirms that 123456 is the most used password for the 5th year in a row. Below the 2018 top 10 most used passwords are: 123456 password 123456789 12345678 12345 111111 1234567 sunshine qwerty iloveyou.

Twitter: We Goofed; Change Your Password Now

Data Breach Today

Passwords Inadvertently Saved to Log in Plaintext Format; Twitter Blames Bug Twitter has apologized after it discovered that it had been inadvertently storing users' passwords in plaintext in an internal log, potentially putting them at risk.

Sextortion Scam Wields Stolen Passwords, Demands Bitcoins

Data Breach Today

Attackers Send a Leaked Password as 'Proof' Victim Was Hacked Scammers behind an ongoing "sextortion" campaign have been emailing a legitimate password - likely from a publicly leaked list - to victims with a threat to release a compromising video of the recipient unless they pay up in bitcoins, Barracuda Networks warns

Citrix Falls Prey to Password-Spraying Attack

Threatpost

International cybercriminals likely exploited weak passwords on an internal network, the FBI said. Breach Cloud Security Hacks citrix FBI internal network compromise international cyberattack password spraying

War Declared on Default Passwords

Data Breach Today

and California are trying to ensure that as many IoT devices as possible will be out-of-the-box secure, for starters by not shipping with default passwords Initiatives in UK and California Aim to Deep-Six Poor IoT Security Practices With at least 20 billion new consumer devices set to be internet-connected by 2020, initiatives in the U.K.

A Breach, or Just a Forced Password Reset?

Krebs on Security

Software giant Citrix Systems recently forced a password reset for many users of its Sharefile content collaboration service, warning it would be doing this on a regular basis in response to password-guessing attacks that target people who re-use passwords across multiple Web sites.

Password Manager Firms Blast Back at ‘Leaky Password’ Revelations

Threatpost

Privacy Uncategorized Vulnerabilities 1Password Dashlane insecure memory KeePass LastPass Password password manager1Password, Dashlane, KeePass and LastPass each downplay what researchers say is a flaw in how the utilities manage memory.

On the Security of Password Managers

Schneier on Security

There's new research on the security of password managers, speficially 1Password, Dashlane, KeePass, and Lastpass. This work specifically looks at password leakage on the host computer. All password managers we examined sufficiently secured user secrets while in a 'not running' state.

Citrix Breach Underscores Password Perils

Dark Reading

Attackers used a short list of passwords to knock on every digital door to find vulnerable systems in the vendor's network

Why Was Equifax So Stupid About Passwords?

Data Breach Today

Massive Credit Bureau Stored Users' Plaintext Passwords in Testing Environment Massive, well-resourced companies are still using live customer data - including their plaintext passwords - in testing environments, violating not just good development practices but also privacy laws.

Bridging the Password Gap

Data Breach Today

Rachael Stockton of LastPass says that 81 percent of breaches are caused by weak or reused passwords. So, is it time to take a hard look at password management and consider adding some technology to the practice

Why Are We So Stupid About Passwords? German Edition

Data Breach Today

Politicians' All-Star Password Picks: '123' and 'ILoveYou' German officials say the suspect behind the mega-leak of politicians' and celebrities' personal details exploited their weak passwords to access email, social media and cloud service accounts. What can the security industry do to help address the password problem

The Role of Password Management

Data Breach Today

Gerald Beuchelt of LogMeIn on Overcoming Implementation Challenges Password management is a critical component of a security strategy that some organizations still find challenging, says Gerald Beuchelt of LogMeIn Inc

Cisco Patches Critical ‘Default Password’ Bug

Threatpost

Vulnerabilities Web Security Cisco Email Security Appliances Cisco Security Advisory Cisco Small Business SPA514G IP Phones Cisco systems default password Partner Support Service PSS Smart Net Total Care SmartNetVulnerability allows adversaries to access monitoring system used for gathering info on operating systems and hardware.

Sextortion Scam Uses Recipient’s Hacked Passwords

Krebs on Security

The email now references a real password previously tied to the recipient’s email address. But this one begins with an unusual opening salvo: “I’m aware that <substitute password formerly used by recipient here> is your password,” reads the salutation. That’s because there are a number of shady password lookup services online that index billions of usernames (i.e.

Here's Why [Insert Thing Here] Is Not a Password Killer

Troy Hunt

Often it's related to data breaches or sloppy behaviour on behalf of some online service playing fast and loose with HTTPS or passwords or some other easily observable security posture. It's totally going to kill passwords! Passwords Security

Threatpost Poll: Are Password Managers Too Risky?

Threatpost

Weigh in on password managers with our Threatpost poll. Mobile Security Privacy Vulnerabilities Web Security 1Password cracked Dashlane KeePass LastPass password manager poll too risky vulnerability

Beyond Passwords: 2FA, U2F and Google Advanced Protection

Troy Hunt

Last week I wrote a couple of different pieces on passwords, firstly about why we're going to be stuck with them for a long time yet and then secondly, about how we all bear some responsibility for making good password choices. I should be able to use any password I want", he lamented.

Houzz Urges Password Resets After Data Breach

Threatpost

The decorating website said that account usernames, passwords and more have been compromised as part of a breach. Breach Privacy breach data breach houzz Password password reset

Passwords: Here to Stay, Despite Smart Alternatives?

Threatpost

"Password-killing" authentication efforts may be on a road to nowhere. Breach Cloud Security Cryptography IoT Privacy Web Security alternatives Authentication Biometrics fido Password password killer passwords in use Troy Hunt webauthn

Pwned Passwords, Now As NTLM Hashes!

Troy Hunt

I'm still pretty amazed at how much traction Pwned Passwords has gotten this year. A few months ago, I wrote about Pwned Passwords in Practice which demonstrates a whole heap of great use cases where they've been used in registration, password reset and login flows.

Instagram glitch exposed some user passwords

Security Affairs

Instagram has suffered a serious security leak that might have exposed user’s passwords, revealed The Information website. Instagram notified some of its users that it might have accidentally exposed their password due to a security glitch.

Kanye’s Password

Roger's Information Security

Everyone and his brother, inside of infosec and outside has been chortling at Kanye’s iPhone password. how dare you share that man’s password” (it was on CNN, its out there now). how dare you password shame Kanye, at least he has a password.”.

When Accounts are "Hacked" Due to Poor Passwords, Victims Must Share the Blame

Troy Hunt

The first one was about HSBC disclosing a "security incident" which, upon closer inspection, boiled down to this: The security incident that HSBC described in its letter seems to fit the characteristics of brute-force password-guessing attempts, also known as a credentials stuffing attack.

MacOS Zero-Day Exposes Apple Keychain Passwords

Threatpost

A researcher who discovered a flaw letting him steal passwords in MacOS is not sharing his findings with Apple without a macOS bug bounty program. Mobile Security Vulnerabilities apple Apple bug bug bounty ios macOS zero day

Abine says Blur Password Manager User Information Exposed

The Security Ledger

Customers who use the Blur secure password manager by Abine may have had sensitive information leaked, according to a statement by Abine, the company that makes the product. . The post Abine says Blur Password Manager User Information Exposed appeared first on The Security Ledger.

Threatpost Data: Password Managers Are Worth the Risk, Readers Say

Threatpost

A Threatpost reader poll examined risk, vulnerabilities, 2FA, the human element, attitudes on spreadsheets and more when it comes to password managers. Featured Privacy Vulnerabilities 2FA human error LastPass password managers risk spreadsheets Threatpost reader poll vulnerabilities

How to lose your password

Thales eSecurity

The tsunami of passwords that exist across every aspect of our digital life means that there’s a thriving underground industry of cyber-criminals trying to get at them. This time passwords were lightly protected by the 1970s-era DES algorithm.

I've Just Launched "Pwned Passwords" V2 With Half a Billion Passwords for Download

Troy Hunt

Last August, I launched a little feature within Have I Been Pwned (HIBP) I called Pwned Passwords. This was a list of 320 million passwords from a range of different data breaches which organisations could use to better protect their own systems. In reality, this means they probably both have dogs with the same name or some other personal attribute they're naming their passwords after (also bad). Here's what it's all about: There's Now 501,636,842 Pwned Passwords.

14 Ways to Create a Secure Password in 2019 (That you’ll Remember)

IG Guru

There is a mounting requirement to be able to create and safely memorize 100’s of passwords. Over the years, there have been many password tricks that have been invented, such as using a formula or mashing […].

Reasonably Clever Extortion E-mail Based on Password Theft

Schneier on Security

Imagine you've gotten your hands on a file of e-mail addresses and passwords. You convince the owners of the password to send you money. I recently saw a spam e-mail that ties the password to a porn site. I do know, yhhaabor, is your password.

A New Google Chrome Extension Will Detect Your Unsafe Passwords

WIRED Threat Level

Password Checkup” isn’t a password manager but a simple tool that warns you if you’re using a password that’s been exposed in data breaches. Security

Using a Smartphone's Microphone and Speakers to Eavesdrop on Passwords

Schneier on Security

authentication cellphones hacking passwords phones sidechannelattacksIt's amazing that this is even possible: " SonarSnoop: Active Acoustic Side-Channel Attacks ": Abstract: We report the first active acoustic side-channel attack.

86% of Passwords are Terrible (and Other Statistics)

Troy Hunt

A couple of months ago, I launched version 2 of Pwned Passwords. In other words, once a password has appeared in a data breach and it ends up floating around the web for all sorts of nefarious parties to use, don't let your customers use that password! Now, as I say in the aforementioned blog post (and in the post launching V1 before it), it's not always that black and white and indeed outright blocking every pwned password has all sorts of usability ramifications as well.

Pwned Passwords V3 is Now Live!

Troy Hunt

Over recent weeks, I've begun planning the release of the 3rd version of Pwned Passwords. If you cast your mind back, version 1 came along in August last year and contained 320M passwords. I made all the data downloadable as SHA-1 hashes (for reasons explained in that post) and stood up a basic API to enable anyone to query it by plain text password or hash. We'll start with the raw numbers: in total, there are 517,238,891 passwords which is 15.6M

Google Ditches Passwords in Latest Android Devices

Threatpost

Google has announced FIDO2 certification for devices running on Android 7 and above - meaning that users can use biometrics, fingerprint login or PINs instead of passwords. Mobile Security Web Security Android android 7 FIDO alliance FIDO certification FIDO2 google