Dell, Dunkin Donuts Reset Passwords After Incidents

Data Breach Today

The Impacts of Both Incidents Appear to Be Limited Dell and Dunkin Donuts have both initiated password resets after experiencing separate security incidents aimed at gaining access to customer accounts.

Troy Hunt on Passwords

Schneier on Security

Troy Hunt has a good essay about why passwords are here to stay, despite all their security problems: This is why passwords aren't going anywhere in the foreseeable future and why [insert thing here] isn't going to kill them. authentication biometrics passwords

War Declared on Default Passwords

Data Breach Today

and California are trying to ensure that as many IoT devices as possible will be out-of-the-box secure, for starters by not shipping with default passwords Initiatives in UK and California Aim to Deep-Six Poor IoT Security Practices With at least 20 billion new consumer devices set to be internet-connected by 2020, initiatives in the U.K.

Sextortion Scam Wields Stolen Passwords, Demands Bitcoins

Data Breach Today

Attackers Send a Leaked Password as 'Proof' Victim Was Hacked Scammers behind an ongoing "sextortion" campaign have been emailing a legitimate password - likely from a publicly leaked list - to victims with a threat to release a compromising video of the recipient unless they pay up in bitcoins, Barracuda Networks warns

A Breach, or Just a Forced Password Reset?

Krebs on Security

Software giant Citrix Systems recently forced a password reset for many users of its Sharefile content collaboration service, warning it would be doing this on a regular basis in response to password-guessing attacks that target people who re-use passwords across multiple Web sites.

Why Are We So Stupid About Passwords? German Edition

Data Breach Today

Politicians' All-Star Password Picks: '123' and 'ILoveYou' German officials say the suspect behind the mega-leak of politicians' and celebrities' personal details exploited their weak passwords to access email, social media and cloud service accounts. What can the security industry do to help address the password problem

Why Was Equifax So Stupid About Passwords?

Data Breach Today

Massive Credit Bureau Stored Users' Plaintext Passwords in Testing Environment Massive, well-resourced companies are still using live customer data - including their plaintext passwords - in testing environments, violating not just good development practices but also privacy laws.

Kanye’s Password

Roger's Information Security

Everyone and his brother, inside of infosec and outside has been chortling at Kanye’s iPhone password. how dare you share that man’s password” (it was on CNN, its out there now). how dare you password shame Kanye, at least he has a password.”.

Which are the worst passwords for 2018?

Security Affairs

Which are the worst passwords for 2018? SplashData report confirms that 123456 is the most used password for the 5th year in a row. Below the 2018 top 10 most used passwords are: 123456 password 123456789 12345678 12345 111111 1234567 sunshine qwerty iloveyou.

The Role of Password Management

Data Breach Today

Gerald Beuchelt of LogMeIn on Overcoming Implementation Challenges Password management is a critical component of a security strategy that some organizations still find challenging, says Gerald Beuchelt of LogMeIn Inc

Bridging the Password Gap

Data Breach Today

Rachael Stockton of LastPass says that 81 percent of breaches are caused by weak or reused passwords. So, is it time to take a hard look at password management and consider adding some technology to the practice

Passwords: Here to Stay, Despite Smart Alternatives?

Threatpost

"Password-killing" authentication efforts may be on a road to nowhere. Breach Cloud Security Cryptography IoT Privacy Web Security alternatives Authentication Biometrics fido Password password killer passwords in use Troy Hunt webauthn

Sextortion Scam Uses Recipient’s Hacked Passwords

Krebs on Security

The email now references a real password previously tied to the recipient’s email address. But this one begins with an unusual opening salvo: “I’m aware that <substitute password formerly used by recipient here> is your password,” reads the salutation. That’s because there are a number of shady password lookup services online that index billions of usernames (i.e.

Abine says Blur Password Manager User Information Exposed

The Security Ledger

Customers who use the Blur secure password manager by Abine may have had sensitive information leaked, according to a statement by Abine, the company that makes the product. . The post Abine says Blur Password Manager User Information Exposed appeared first on The Security Ledger.

Beyond Passwords: 2FA, U2F and Google Advanced Protection

Troy Hunt

Last week I wrote a couple of different pieces on passwords, firstly about why we're going to be stuck with them for a long time yet and then secondly, about how we all bear some responsibility for making good password choices. I should be able to use any password I want", he lamented.

Here's Why [Insert Thing Here] Is Not a Password Killer

Troy Hunt

Often it's related to data breaches or sloppy behaviour on behalf of some online service playing fast and loose with HTTPS or passwords or some other easily observable security posture. It's totally going to kill passwords! Passwords Security

Password Expiration

Roger's Information Security

FTC Chief Technologist Lorrie Cranor wrote in March it is time to reconsider mandatory password changes. Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases. And even if a password has been compromised, changing the password may be ineffective, especially if other steps aren’t taken to correct security problems.). I like to use a password manager.

How to lose your password

Thales Data Security

The tsunami of passwords that exist across every aspect of our digital life means that there’s a thriving underground industry of cyber-criminals trying to get at them. This time passwords were lightly protected by the 1970s-era DES algorithm.

Reasonably Clever Extortion E-mail Based on Password Theft

Schneier on Security

Imagine you've gotten your hands on a file of e-mail addresses and passwords. You convince the owners of the password to send you money. I recently saw a spam e-mail that ties the password to a porn site. I do know, yhhaabor, is your password.

ThreatList: Password Hygiene Remains Lackluster in Global Businesses

Threatpost

Password-sharing persists, but at least multifactor authentication usage is up. Hacks Most Recent ThreatLists Privacy Web Security global businesses LastPass mfa multifactor authentication password hygiene password sharing security score the report threatlist

Pwned Passwords, Now As NTLM Hashes!

Troy Hunt

I'm still pretty amazed at how much traction Pwned Passwords has gotten this year. A few months ago, I wrote about Pwned Passwords in Practice which demonstrates a whole heap of great use cases where they've been used in registration, password reset and login flows.

773M Password ‘Megabreach’ is Years Old

Krebs on Security

My inbox and Twitter messages positively lit up today with people forwarding stories from Wired and other publications about a supposedly new trove of nearly 773 million unique email addresses and 21 million unique passwords that were posted to a hacking forum.

Using a Smartphone's Microphone and Speakers to Eavesdrop on Passwords

Schneier on Security

authentication cellphones hacking passwords phones sidechannelattacksIt's amazing that this is even possible: " SonarSnoop: Active Acoustic Side-Channel Attacks ": Abstract: We report the first active acoustic side-channel attack.

Instagram glitch exposed some user passwords

Security Affairs

Instagram has suffered a serious security leak that might have exposed user’s passwords, revealed The Information website. Instagram notified some of its users that it might have accidentally exposed their password due to a security glitch.

Good Password Hygiene Requires Behavior Changes and Password Managers

PerezBox

The importance of using complex, long and unique passwords. The post Good Password Hygiene Requires Behavior Changes and Password Managers appeared first on PerezBox. For years I advocated the importance of good hygiene.

How to Change Your Twitter Password Right Now

WIRED Threat Level

On World Password Day, Twitter discloses a major gaffe that left user passwords potentially vulnerable. Security

When Accounts are "Hacked" Due to Poor Passwords, Victims Must Share the Blame

Troy Hunt

The first one was about HSBC disclosing a "security incident" which, upon closer inspection, boiled down to this: The security incident that HSBC described in its letter seems to fit the characteristics of brute-force password-guessing attempts, also known as a credentials stuffing attack.

Password Management

PerezBox

The year is 2017 and we continue to give advice on the process of creating passwords. The phrase “These are the tips to creating a secure password” Read More. The post Password Management appeared first on PerezBox.

Skip the New Year’s Resolution and Change Your Passwords

Adam Levin

According to a study published in December by SplashData of the more than 5 million passwords compromised by hacks last year, way too many were laughably inadequate. Another year has come and gone, and consumers are still using the same old bad passwords to protect their accounts. password. Despite repeated predictions of its demise as a security protocol, the use of passwords to protect accounts isn’t going anywhere any time soon.

Bank Attacks Put Password Insecurity Back in the Spotlight

The Security Ledger

Two separate attacks on banks in the United States and Pakistan revealed this week highlight once again the inherent weakness of a security practice that relies on passwords or knowledge-based credentials to protect critical information.

Worst Password Blunders of 2018 Hit Organizations East and West

Dark Reading

Good password practices remain elusive as Dashlane's latest list of the worst password blunders can attest

Revamp of ‘Pwned Passwords’ Boosts Privacy and Size of Database

Threatpost

Troy Hunt has expanded his Pwned Passwords tool with 80 million more passwords, to help users find if their passwords have been compromised. Privacy Web Security bad passwords clear text credentials Have I Been Pwned Onliner Spambot Dump Pwned Passwords

The Series 5 YubiKey Will Help Kill the Password

WIRED Threat Level

The latest batch of hardware-based tokens from Yubico will eventually let you skip the password altogether. Security

Lenovo Fixes Hardcoded Password Flaw Impacting ThinkPad Fingerprint Scanners

Threatpost

Lenovo said nearly a dozen ThinkPad and ThinkCentre laptops contain a hardcoded password flaw. Cryptography Privacy Vulnerabilities hard-coded password Lenovo Lenovo Fingerprint Manager Pro Password ThinkPad ThinkPad Yoga

Why So Many People Make Their Password 'Dragon'

WIRED Threat Level

The mythical creature's popularity says a lot about the psychology of password creation. Security

I've Just Launched "Pwned Passwords" V2 With Half a Billion Passwords for Download

Troy Hunt

Last August, I launched a little feature within Have I Been Pwned (HIBP) I called Pwned Passwords. This was a list of 320 million passwords from a range of different data breaches which organisations could use to better protect their own systems. In reality, this means they probably both have dogs with the same name or some other personal attribute they're naming their passwords after (also bad). Here's what it's all about: There's Now 501,636,842 Pwned Passwords.

Calif. Law Takes Aim at Weak IoT Passwords

Threatpost

Government IoT Vulnerabilities Web Security AB-1906 admin California California Consumer Privacy Act CCPA GDPR General Data Protection Regulation Passwords SB-327 ShodanConcerns over data privacy and security push California to roll out the first legislation on connected devices.

Get a Password Manager. Here's Where to Start

WIRED Threat Level

How important are password managers? Even their flaws double as reminders why you need one. Security

Collection #1 dump, 773 million emails, 21 million passwords

Security Affairs

Someone has collected a huge trove of data through credential stuffing , the ‘Collection #1’ archive is a set of email addresses and passwords totalling 2,692,818,238 rows resulting from thousands of different sources. According to Hunt, there are 1,160,253,228 unique combinations of email addresses and passwords, while the unique email addresses totalled 772,904,991. million passwords are not part of known past data breaches.

Sextortionists Shift Scare Tactics to Include Legit Passwords

Threatpost

The scam emails offer, as proof of compromise, a password associated with the target’s online accounts. Privacy Web Security data breach Fraud Password scam emails sextortion tactics