Ukraine Nabs Suspect in 773M Password ?Megabreach?

Krebs on Security

In January 2019, dozens of media outlets raised the alarm about a new “megabreach” involving the release of some 773 million stolen usernames and passwords that was breathlessly labeled “the largest collection of stolen data in history.”

Password Changing After a Breach

Schneier on Security

This study shows that most people don't change their passwords after a breach, and if they do they change it to a weaker password. New passwords were on average 1.3× academicpapers breaches passwords

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Eliminate the Password, Eliminate the Password Problem.

The Security Ledger

Weak, stolen or reused passwords are the root of 8 in 10 data breaches. Fixing the data breach problem means abandoning passwords for something more secure. Episode 163: Cyber Risk has a Dunning-Kruger Problem Also: Bad Password Habits start at Home.

Risks of Password Managers

Schneier on Security

Stuart Schechter writes about the security risks of using a password manager. It's a good piece, and nicely discusses the trade-offs around password managers: which one to choose, which passwords to store in it, and so on. My own Password Safe is mentioned.

Five Password Tips for Securing the New WFH Normal

Threatpost

Darren James, product specialist with Specops Software, warned that password resets, for example, are a particularly vexing issue for sysadmins, as they can often lockout end-users from their accounts. Web Security password security remote work

DHS Urges Pulse Secure VPN Users To Update Passwords

Threatpost

The DHS urged organizations to update their passwords and make sure that a critical Pulse Secure VPN flaw has been patched, as attackers continue to exploit the flaw. Hacks Vulnerabilities CISA credential password critical flaw DHS Password pulse secure pulse secure VPN

Why Are We So Stupid About RDP Passwords?

Data Breach Today

Ransomware Gangs Keep Pwning Poorly Secured Remote Desktop Protocol Endpoints In honor of World Password Day, here's a task for every organization that uses remote desktop protocol: Ensure that all of your organization's internet-facing RDP ports have a password - and that it's complex and unique

Retailer Orvis.com Leaked Hundreds of Internal Passwords on Pastebin

Krebs on Security

In late October, this author received a tip from Wisconsin-based security firm Hold Security that a file containing a staggering number of internal usernames and passwords for Orvis had been posted to Pastebin. Microsoft Active Directory accounts and passwords.

The Risk of Weak Online Banking Passwords

Krebs on Security

If you bank online and choose weak or re-used passwords, there’s a decent chance your account could be pilfered by cyberthieves — even if your bank offers multi-factor authentication as part of its login process. Image: Hold Security.

Password Manager Weaknesses Revealed

Data Breach Today

The latest edition of the ISMG Security Report describes vulnerabilities found in popular password generator apps. Plus, the evolution of blockchain as a utility and a new decryptor for GandCrab ransomware

Do Password Managers Make You More or Less Secure?

Adam Levin

It’s World Password Day, and much like every other day of the year, the state of password security is terrible. . Enter the password manager: an application or service that consolidates the credentials for all a user’s accounts.

Phishers Use Fake VPN Alerts to Steal Office 365 Passwords

Data Breach Today

Report: Fraudsters Target Remote Workers With Spoofed Updates Fraudsters are using fake VPN update alerts to target remote workers in an effort to steal their Microsoft Office 365 credentials, according to the security firm Abnormal Security

Report: Facebook Stored Millions of Passwords in Plaintext

Data Breach Today

Facebook Under Fresh Scrutiny Over How It Stored User Passwords Facebook has corrected an internal security issue that allowed the company to store millions of user passwords in plaintext that were then available to employees through an internal search tool

ThreatList: People Know Reusing Passwords Is Dumb, But Still Do It

Threatpost

Even seeing data breaches in the news, more than half of consumers are still reusing passwords. Most Recent ThreatLists Web Security data breach Password password reuse Security web visitor

Password Managers Leave Crumbs in Memory, Researchers Warn

Data Breach Today

Popular Password Managers for Windows Fail to Tidy Up Before Locking Up Shop A security audit of popular password manager has revealed some concerning weaknesses. But the research shows that some password managers need to more thoroughly scrub data left in memory

Dell, Dunkin Donuts Reset Passwords After Incidents

Data Breach Today

The Impacts of Both Incidents Appear to Be Limited Dell and Dunkin Donuts have both initiated password resets after experiencing separate security incidents aimed at gaining access to customer accounts.

Tricky Phish Angles for Persistence, Not Passwords

Krebs on Security

Late last year saw the re-emergence of a nasty phishing tactic that allows the attacker to gain full access to a user’s data stored in the cloud without actually stealing the account password.

FBI recommends using passphrases instead of complex passwords

Security Affairs

The FBI recommends using longer passwords composed of multiple words into a long string of at least 15 characters instead of short passwords including special characters. Which are the most secure passwords? Breaking News Security Hacking passwords Security News

Facebook Password, Email Contact Mishandling Worsens

Data Breach Today

Millions of Instagram Users Affected by Plain-Text Password Storage Two security issues disclosed by Facebook over the past month are worse than first thought, adding to a harrowing series of data-handling mishaps by the social network. Millions of Instagram users had their plain-text passwords stored, and 1.5

Google Adds Password Checkup Feature to Chrome Browser

Threatpost

Google's new password checkup tool joins other similar services including Have I Been Pwned and Mozilla's Firefox Monitor.

Pwned Passwords, Version 5

Troy Hunt

Almost 2 years ago to the day, I wrote about Passwords Evolved: Authentication Guidance for the Modern Era. Shortly after that blog post I launched Pwned Passwords with 306M passwords from previous breach corpuses. 3,768,890 passwords. Have I Been Pwned Pwned Passwords

Attacks on Linksys Routers Trigger Mass Password Reset

Threatpost

Linksys Smart Wi-Fi users were forced to reset their passwords after researchers discovered a router hack. Hacks Web Security Linksys Linksys routers Linksys SMART Wi-Fi password reset Router router attack

War Declared on Default Passwords

Data Breach Today

Initiatives in UK and California Aim to Deep-Six Poor IoT Security Practices With at least 20 billion new consumer devices set to be internet-connected by 2020, initiatives in the U.K. and California are trying to ensure that as many IoT devices as possible will be out-of-the-box secure, for starters by not shipping with default passwords

Password Security: Single Factor, 2FA and Multi-Factor Authentication

Rocket Software

On May 7, IT and technology businesses around the world celebrated World Password Day, a day meant to remind everyone of the importance of keeping personal and business data protected and secure. Don’t use personal passwords for work accounts. . Secure Sign-In.

Troy Hunt on Passwords

Schneier on Security

Troy Hunt has a good essay about why passwords are here to stay, despite all their security problems: This is why passwords aren't going anywhere in the foreseeable future and why [insert thing here] isn't going to kill them. authentication biometrics passwords

Mozilla addresses “master password” security bypass flaw in Firefox

Security Affairs

The latest update released by Mozilla for Firefox patches a flaw in Firefox Password Manager that can be exploited to access stored passwords. fixes a vulnerability that can be exploited to bypass the master password in Firefox Password Manager and access stored passwords.

Facebook Password, Email Contact Mishandling Deepens

Data Breach Today

Millions of Instagram Users Affected by Plain-Text Password Storage Two security issues disclosed by Facebook over the past month are worse than first thought, adding to a harrowing series of data-handling mishaps by the social network. Millions of Instagram users had their plain-text passwords stored, and 1.5

Slack Initiates Mass Password Reset

Threatpost

Breach Cloud Security Hacks Privacy 2015 incident credential harvesting data breach password reset security breach SlackMore victims of a 2015 credential-harvesting incident have come to light.

On the Security of Password Managers

Schneier on Security

There's new research on the security of password managers, speficially 1Password, Dashlane, KeePass, and Lastpass. This work specifically looks at password leakage on the host computer. Each password manager also attempted to scrub secrets from memory.

Hackers Dump 2.2M Gaming, Cryptocurrency Passwords Online

Threatpost

The passwords of more than 2.2 Web Security bcrypt bots Cryptocurrency data breach Data Privacy Encryption EpicBot GateHub Have I Been Pwned Passwords Troy Huntmillion users of a gaming and cryptocurrency website were dumped online after dual data breaches.

Over 23 million breached accounts were using ‘123456’ as password

Security Affairs

A cyber survey conducted by the United Kingdom’s National Cyber Security Centre (NCSC) revealed that ‘123456’ is still the most hacked password. million user accounts worldwide were using ‘123456’ as password, while 7.7

Google Stored G Suite Passwords in Plaintext Since 2005

Threatpost

Google said it had stored G Suite enterprise users' passwords in plain text since 2005 marking a giant security faux pas. Cloud Security G Suite Gmail google google cloud google security Password password store plain text

Why Was Equifax So Stupid About Passwords?

Data Breach Today

Massive Credit Bureau Stored Users' Plaintext Passwords in Testing Environment Massive, well-resourced companies are still using live customer data - including their plaintext passwords - in testing environments, violating not just good development practices but also privacy laws. That's yet another security failure takeaway from last year's massive Equifax breach

Party Like Every Day Is World Password Day

Data Breach Today

Cause for Celebration: Microsoft Stops Recommending Periodic Password Changes Every day needs to be password security day - attackers certainly aren't dormant the other 364 days of the year. But as World Password Day rolls around again, there's cause for celebration as Microsoft finally stops recommending periodic password changes

Password Psychology: users know reuse is bad, do it anyway

The Security Ledger

More than 90% of employees know re-using passwords between accounts is a dangerous business, but two thirds of them do it anyway. Rachael Stockton of LastPass digs into the "why" of password insecurity in the latest LastPass Psychology of Passwords report.

The Hidden Cost of Ransomware: Wholesale Password Theft

Krebs on Security

Organizations in the throes of cleaning up after a ransomware outbreak typically will change passwords for all user accounts that have access to any email systems, servers and desktop workstations within their network. ” WHOLESALE PASSWORD THEFT. Department of Homeland Security.

A study reveals the list of worst passwords of 2019

Security Affairs

Another year is ending and this is the right time to discover which are the worst passwords of 2019 by analyzing data leaked in various data breaches. The company collected 500 million passwords in total and the results were disconcerting. Adopt a password generator.

Chrome Extension Stealing Cryptocurrency Keys and Passwords

Schneier on Security

A malicious Chrome extension surreptitiously steals Ethereum keys and passwords: According to Denley, the extension is dangerous to users in two ways. Another example of how blockchain requires many single points of trust in order to be secure.

A Breach, or Just a Forced Password Reset?

Krebs on Security

Software giant Citrix Systems recently forced a password reset for many users of its Sharefile content collaboration service, warning it would be doing this on a regular basis in response to password-guessing attacks that target people who re-use passwords across multiple Web sites.

Breached Passwords Still in Use By Hundreds of Thousands

Threatpost

Breach Web Security breach compromised password data breach google PasswordMore than 300,000 users still utilize credentials that have been compromised - with people visiting video streaming and porn sites most at fault, Google found in a new study.