Eliminate the Password, Eliminate the Password Problem.

The Security Ledger

Weak, stolen or reused passwords are the root of 8 in 10 data breaches. Fixing the data breach problem means abandoning passwords for something more secure. Episode 163: Cyber Risk has a Dunning-Kruger Problem Also: Bad Password Habits start at Home.

Retailer Orvis.com Leaked Hundreds of Internal Passwords on Pastebin

Krebs on Security

In late October, this author received a tip from Wisconsin-based security firm Hold Security that a file containing a staggering number of internal usernames and passwords for Orvis had been posted to Pastebin. Microsoft Active Directory accounts and passwords.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Updated FTCODE Ransomware Now Steals Credentials, Passwords

Data Breach Today

4 Key Considerations for Employee Password Hardening & Compromised Password Monitoring

Data Breach Today

Traditional Methods to Thwart Successful Attacks are Becoming Less Effective The new method of weak and compromised continuous password monitoring can reduce user frustration and IT burden

Cracking Forgotten Passwords

Schneier on Security

It's "useful for cracking passwords you kinda-remember." You tell the program what you remember about the password and it tries related passwords. cryptocurrency passwordsExpandpass is a string expansion program.

Risks of Password Managers

Schneier on Security

Stuart Schechter writes about the security risks of using a password manager. It's a good piece, and nicely discusses the trade-offs around password managers: which one to choose, which passwords to store in it, and so on. My own Password Safe is mentioned.

Pwned Passwords, Version 5

Troy Hunt

Almost 2 years ago to the day, I wrote about Passwords Evolved: Authentication Guidance for the Modern Era. Shortly after that blog post I launched Pwned Passwords with 306M passwords from previous breach corpuses. 3,768,890 passwords. Have I Been Pwned Pwned Passwords

Tricky Phish Angles for Persistence, Not Passwords

Krebs on Security

Late last year saw the re-emergence of a nasty phishing tactic that allows the attacker to gain full access to a user’s data stored in the cloud without actually stealing the account password.

The Risk of Weak Online Banking Passwords

Krebs on Security

If you bank online and choose weak or re-used passwords, there’s a decent chance your account could be pilfered by cyberthieves — even if your bank offers multi-factor authentication as part of its login process.

Half a Million IoT Device Passwords Published

Schneier on Security

It's a list of easy-to-guess passwords for IoT devices on the Internet as recently as last October and November. The hacker than tried using (1) factory-set default usernames and passwords, or (2) custom, but easy-to-guess password combinations.

Default Password for GPS Trackers

Schneier on Security

Many GPS trackers are shipped with the default password 123456. We just need to eliminate default passwords. gps passwords trackingMany users don't change them. This is an easy win.

Password Manager Weaknesses Revealed

Data Breach Today

The latest edition of the ISMG Security Report describes vulnerabilities found in popular password generator apps. Plus, the evolution of blockchain as a utility and a new decryptor for GandCrab ransomware

Flipboard Resets Passwords After Database Intrusions

Data Breach Today

Hashed and Salted Usernames and Passwords Exposed News aggregator Flipboard has initiated a systemwide password reset affecting as many as 150 million users following two database intrusions.

Google Stored Unhashed G Suite Passwords for Years

Data Breach Today

Passwords Remained Encrypted for Enterprise Users Google is notifying administrators and users of its business-oriented G Suite product that the company had been storing unhashed passwords for years because of a flaw in the platform.

Report: Facebook Stored Millions of Passwords in Plaintext

Data Breach Today

Facebook Under Fresh Scrutiny Over How It Stored User Passwords Facebook has corrected an internal security issue that allowed the company to store millions of user passwords in plaintext that were then available to employees through an internal search tool

Google Adds Password Checkup Feature to Chrome Browser

Threatpost

Google's new password checkup tool joins other similar services including Have I Been Pwned and Mozilla's Firefox Monitor.

Password Managers Leave Crumbs in Memory, Researchers Warn

Data Breach Today

Popular Password Managers for Windows Fail to Tidy Up Before Locking Up Shop A security audit of popular password manager has revealed some concerning weaknesses. But the research shows that some password managers need to more thoroughly scrub data left in memory

Facebook Password, Email Contact Mishandling Worsens

Data Breach Today

Millions of Instagram Users Affected by Plain-Text Password Storage Two security issues disclosed by Facebook over the past month are worse than first thought, adding to a harrowing series of data-handling mishaps by the social network. Millions of Instagram users had their plain-text passwords stored, and 1.5

Dell, Dunkin Donuts Reset Passwords After Incidents

Data Breach Today

The Impacts of Both Incidents Appear to Be Limited Dell and Dunkin Donuts have both initiated password resets after experiencing separate security incidents aimed at gaining access to customer accounts.

Cracking the Passwords of Early Internet Pioneers

Schneier on Security

Weakest of all was the password for Unix contributor Brian W. None of the passwords included the quotation marks.). I don't remember any of my early passwords, but they probably weren't much better. historyofcomputing historyofsecurity passwords

Troy Hunt on Passwords

Schneier on Security

Troy Hunt has a good essay about why passwords are here to stay, despite all their security problems: This is why passwords aren't going anywhere in the foreseeable future and why [insert thing here] isn't going to kill them. authentication biometrics passwords

Which are the worst passwords for 2018?

Security Affairs

Which are the worst passwords for 2018? SplashData report confirms that 123456 is the most used password for the 5th year in a row. Below the 2018 top 10 most used passwords are: 123456 password 123456789 12345678 12345 111111 1234567 sunshine qwerty iloveyou.

Forced Password Reset? Check Your Assumptions

Krebs on Security

Hackers Dump 2.2M Gaming, Cryptocurrency Passwords Online

Threatpost

The passwords of more than 2.2 Web Security bcrypt bots Cryptocurrency data breach Data Privacy Encryption EpicBot GateHub Have I Been Pwned Passwords Troy Huntmillion users of a gaming and cryptocurrency website were dumped online after dual data breaches.

Chrome Extension Stealing Cryptocurrency Keys and Passwords

Schneier on Security

A malicious Chrome extension surreptitiously steals Ethereum keys and passwords: According to Denley, the extension is dangerous to users in two ways. blockchain chrome cryptocurrency fraud keys passwords theft

Generated Passwords, UX and Security Absolutism

Troy Hunt

So why doesn't every site take away the ability for people to choose their own passwords? Why not just generate the password for them thus completely eradicating password reuse? It doesn't matter who generated the password. passwords ?? Password manager?

Facebook Password, Email Contact Mishandling Deepens

Data Breach Today

Millions of Instagram Users Affected by Plain-Text Password Storage Two security issues disclosed by Facebook over the past month are worse than first thought, adding to a harrowing series of data-handling mishaps by the social network. Millions of Instagram users had their plain-text passwords stored, and 1.5

The Hidden Cost of Ransomware: Wholesale Password Theft

Krebs on Security

Organizations in the throes of cleaning up after a ransomware outbreak typically will change passwords for all user accounts that have access to any email systems, servers and desktop workstations within their network. ” WHOLESALE PASSWORD THEFT.

Slack Initiates Mass Password Reset

Threatpost

Breach Cloud Security Hacks Privacy 2015 incident credential harvesting data breach password reset security breach SlackMore victims of a 2015 credential-harvesting incident have come to light.

War Declared on Default Passwords

Data Breach Today

and California are trying to ensure that as many IoT devices as possible will be out-of-the-box secure, for starters by not shipping with default passwords Initiatives in UK and California Aim to Deep-Six Poor IoT Security Practices With at least 20 billion new consumer devices set to be internet-connected by 2020, initiatives in the U.K.

Twitter: We Goofed; Change Your Password Now

Data Breach Today

Passwords Inadvertently Saved to Log in Plaintext Format; Twitter Blames Bug Twitter has apologized after it discovered that it had been inadvertently storing users' passwords in plaintext in an internal log, potentially putting them at risk.

Sextortion Scam Wields Stolen Passwords, Demands Bitcoins

Data Breach Today

Attackers Send a Leaked Password as 'Proof' Victim Was Hacked Scammers behind an ongoing "sextortion" campaign have been emailing a legitimate password - likely from a publicly leaked list - to victims with a threat to release a compromising video of the recipient unless they pay up in bitcoins, Barracuda Networks warns

A study reveals the list of worst passwords of 2019

Security Affairs

Another year is ending and this is the right time to discover which are the worst passwords of 2019 by analyzing data leaked in various data breaches. The company collected 500 million passwords in total and the results were disconcerting. Adopt a password generator.

Hostinger Data Breach: 14M Customer Passwords, Personal Data at Risk

Threatpost

Hostinger said that unauthorized access to an internal API server exposed hashed passwords of 14 million customers. Breach Hacks 14 million api server breach data breach hashed password hostinger Password website

A Breach, or Just a Forced Password Reset?

Krebs on Security

Software giant Citrix Systems recently forced a password reset for many users of its Sharefile content collaboration service, warning it would be doing this on a regular basis in response to password-guessing attacks that target people who re-use passwords across multiple Web sites.

Banks, Arbitrary Password Restrictions and Why They Don't Matter

Troy Hunt

Allow me to be controversial for a moment: arbitrary password restrictions on banks such as short max lengths and disallowed characters don't matter. He turned to me and said, "Do you really think the only thing the bank does to log people on is to check the username and password?"

Sextortion Scam Uses Recipient’s Hacked Passwords

Krebs on Security

The email now references a real password previously tied to the recipient’s email address. But this one begins with an unusual opening salvo: “I’m aware that <substitute password formerly used by recipient here> is your password,” reads the salutation. That’s because there are a number of shady password lookup services online that index billions of usernames (i.e.

Party Like Every Day Is World Password Day

Data Breach Today

Cause for Celebration: Microsoft Stops Recommending Periodic Password Changes Every day needs to be password security day - attackers certainly aren't dormant the other 364 days of the year. But as World Password Day rolls around again, there's cause for celebration as Microsoft finally stops recommending periodic password changes

Breached Passwords Still in Use By Hundreds of Thousands

Threatpost

Breach Web Security breach compromised password data breach google PasswordMore than 300,000 users still utilize credentials that have been compromised - with people visiting video streaming and porn sites most at fault, Google found in a new study.

Over 23 million breached accounts were using ‘123456’ as password

Security Affairs

A cyber survey conducted by the United Kingdom’s National Cyber Security Centre (NCSC) revealed that ‘123456’ is still the most hacked password. million user accounts worldwide were using ‘123456’ as password, while 7.7 SecurityAffairs – Top breached passwords, hacking).