The Wages of Password Re-Use: Your Money or Your Life

Krebs on Security

When normal computer users fall into the nasty habit of recycling passwords, the result is most often some type of financial loss. Our passwords can say a lot about us, and much of what they have to say is unflattering. POOR PASSWORDS AS GOOD OPSEC?

Nihilistic Password Security Questions

Schneier on Security

Uncategorized humor passwords security questionsPosted three years ago, but definitely appropriate for the times.

Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

26M Passwords Exposed in Botnet Data Leak

Data Breach Today

Facebook Passwords, Valid Cookies Some 26 million passwords were exposed in a 1.2 terabyte batch of data found by NordLocker, a security company. Data Includes 1.5M

Ukraine Nabs Suspect in 773M Password ?Megabreach?

Krebs on Security

In January 2019, dozens of media outlets raised the alarm about a new “megabreach” involving the release of some 773 million stolen usernames and passwords that was breathlessly labeled “the largest collection of stolen data in history.”

Home Assistant, Pwned Passwords and Security Misconceptions

Troy Hunt

Pwned Passwords is a repository of 613M passwords exposed in previous data breaches, which makes them very poor choices for future use. Then there's all the occasions where hackers end up controlling devices in the home network again, due to password reuse.

Botnet Data Leak: 26 Million Passwords Exposed

Data Breach Today

Million Facebook Passwords Among Leaked Data; Raccoon Infostealer Suspected Some 26 million passwords were exposed in a 1.2 terabyte batch of data found by NordLocker, a security company.

FBI will share compromised passwords with HIBP Pwned Passwords

Security Affairs

The FBI is going to share compromised passwords discovered during investigations with Have I Been Pwned (HIBP)’s ‘Pwned Passwords’ service. “Feeding these passwords into HIBP gives the FBI the opportunity to do this almost 1 billion times every month.

Ubiquiti: Change Your Password, Enable 2FA

Krebs on Security

Ubiquiti , a major vendor of cloud-enabled Internet of Things (IoT) devices such as routers, network video recorders, security cameras and access control systems, is urging customers to change their passwords and enable multi-factor authentication. Change your password.

Fintech Startup Offers $500 for Payroll Passwords

Krebs on Security

One financial startup that’s targeting the gig worker market is offering up to $500 to anyone willing to hand over the payroll account username and password given to them by their employer, plus a regular payment for each month afterwards in which those credentials still work.

Password Changing After a Breach

Schneier on Security

This study shows that most people don't change their passwords after a breach, and if they do they change it to a weaker password. New passwords were on average 1.3× academicpapers breaches passwords

Death to 'Fluffy': Please Stop With the Pet Name Passwords

Data Breach Today

Pets, Sports Teams, Notable Dates and Family Member Names Predominate, Experts Warn Loving your pet and creating tough-to-crack passwords should remain two distinctly separate activities.

Eliminate the Password, Eliminate the Password Problem.

The Security Ledger

Weak, stolen or reused passwords are the root of 8 in 10 data breaches. Fixing the data breach problem means abandoning passwords for something more secure. Episode 163: Cyber Risk has a Dunning-Kruger Problem Also: Bad Password Habits start at Home.

The Edge Pro Quote: Password Empowerment

Dark Reading

Despite being a pain in the neck, passwords may hold a psychological purpose that security pros should take into account

Five Critical Password Security Rules Your Employees Are Ignoring

Threatpost

According to Keeper Security’s Workplace Password Malpractice Report, many remote workers aren’t following best practices for password security. Web Security

Half a Million IoT Passwords Leaked

Schneier on Security

The hacker then tried using (1) factory-set default usernames and passwords, or (2) custom, but easy-to-guess password combinations. Default passwords? We have a long way to go to secure the IoT. dataloss internetofthings leaks passwords

Gamifying Password Training Shows Security Benefits

Dark Reading

When picking passwords, users often fall back on certain insecure patterns, but good habits can be learned using simple games, a group of researchers find

DHS Urges Pulse Secure VPN Users To Update Passwords

Threatpost

The DHS urged organizations to update their passwords and make sure that a critical Pulse Secure VPN flaw has been patched, as attackers continue to exploit the flaw. Hacks Vulnerabilities CISA credential password critical flaw DHS Password pulse secure pulse secure VPN

Password Manager Weaknesses Revealed

Data Breach Today

The latest edition of the ISMG Security Report describes vulnerabilities found in popular password generator apps. Plus, the evolution of blockchain as a utility and a new decryptor for GandCrab ransomware

6 Ways Passwords Fail Basic Security Tests

Dark Reading

New data shows humans still struggle with password creation and management

Risks of Password Managers

Schneier on Security

Stuart Schechter writes about the security risks of using a password manager. It's a good piece, and nicely discusses the trade-offs around password managers: which one to choose, which passwords to store in it, and so on. My own Password Safe is mentioned. My particular choices about security and risk is to only store passwords on my computer -- not on my phone -- and not to put anything in the cloud. passwordsafe passwords riskassessment risks

‘War Dialing’ Tool Exposes Zoom’s Password Problems

Krebs on Security

But without the protection of a password, there’s a decent chance your next Zoom meeting could be “Zoom bombed” — attended or disrupted by someone who doesn’t belong. zWarDial, an automated tool for finding non-password protected Zoom meetings.

Do Password Managers Make You More or Less Secure?

Adam Levin

It’s World Password Day, and much like every other day of the year, the state of password security is terrible. . Enter the password manager: an application or service that consolidates the credentials for all a user’s accounts.

Spotify Changes Passwords After Another Data Breach

Threatpost

Breach Cloud Security Web Security breach Credential stuffing data exposure Passwords security bug Spotify Spotify breach User dataThis is the third breach in the past few weeks for the world’s most popular streaming service.

Google’s Chrome 86: Critical Payments Bug, Password Checker Among Security Notables

Threatpost

Google is rolling out 35 security fixes, and a new password feature, in Chrome 86 versions for Windows, Mac, Android and iOS users.

Dashlane vs. LastPass: Business Password Manager Comparison

eSecurity Planet

Dashlane and LastPass are two of the biggest names in password management software. They both provide businesses secure vaults for sensitive information, including passwords, credit card details, and personal identification numbers. Security.

Five Password Tips for Securing the New WFH Normal

Threatpost

Darren James, product specialist with Specops Software, warned that password resets, for example, are a particularly vexing issue for sysadmins, as they can often lockout end-users from their accounts. Web Security password security remote work

Pwned Passwords, Version 5

Troy Hunt

Almost 2 years ago to the day, I wrote about Passwords Evolved: Authentication Guidance for the Modern Era. Shortly after that blog post I launched Pwned Passwords with 306M passwords from previous breach corpuses. I made the data downloadable and also made it searchable via an API, except there are obvious issues with enabling someone to send passwords to me even if they're hashed as they were in that first instance. 3,768,890 passwords.

Why Are We So Stupid About RDP Passwords?

Data Breach Today

Ransomware Gangs Keep Pwning Poorly Secured Remote Desktop Protocol Endpoints In honor of World Password Day, here's a task for every organization that uses remote desktop protocol: Ensure that all of your organization's internet-facing RDP ports have a password - and that it's complex and unique

The Risk of Weak Online Banking Passwords

Krebs on Security

If you bank online and choose weak or re-used passwords, there’s a decent chance your account could be pilfered by cyberthieves — even if your bank offers multi-factor authentication as part of its login process. Crooks are constantly probing bank Web sites for customer accounts protected by weak or recycled passwords. A screenshot of a password-checking tool being used to target Chase Bank customers who re-use passwords from other sites.

Intern caused ‘solarwinds123’ password leak, former SolarWinds CEO says

Security Affairs

Top executives of the software firm SolarWinds blamed an intern for having used a weak password for several years, exposing the company to hack. Then realized their password was **123 #FireEye #SolarWinds pic.twitter.com/foGzEOdytG — Vinoth Kumar (@vinodsparrow) December 14, 2020.

Retailer Orvis.com Leaked Hundreds of Internal Passwords on Pastebin

Krebs on Security

Orvis , a Vermont-based retailer that specializes in high-end fly fishing equipment and other sporting goods, leaked hundreds of internal passwords on Pastebin.com for several weeks last month, exposing credentials the company used to manage everything from firewalls and routers to administrator accounts and database servers, KrebsOnSecurity has learned. “We are leveraging our existing security tools to conduct an investigation to determine how this occurred.”

Facebook Password, Email Contact Mishandling Worsens

Data Breach Today

Millions of Instagram Users Affected by Plain-Text Password Storage Two security issues disclosed by Facebook over the past month are worse than first thought, adding to a harrowing series of data-handling mishaps by the social network. Millions of Instagram users had their plain-text passwords stored, and 1.5

Tricky Phish Angles for Persistence, Not Passwords

Krebs on Security

Late last year saw the re-emergence of a nasty phishing tactic that allows the attacker to gain full access to a user’s data stored in the cloud without actually stealing the account password.

Neural Networks Help Users Pick More-Secure Passwords

Dark Reading

Typically, blocklists are used to prevent users from picking easily guessable patterns, but a small neural network can do the same job and suggests that complex password requirements are not necessary

Best Password Management Software & Tools

eSecurity Planet

This creates a lot of opportunities for hackers to gain access to company resources because users often reuse passwords or mirror patterns in creating them. Password manager tools allow organizations and their employees to seamlessly and securely handle login credentials.

War Declared on Default Passwords

Data Breach Today

Initiatives in UK and California Aim to Deep-Six Poor IoT Security Practices With at least 20 billion new consumer devices set to be internet-connected by 2020, initiatives in the U.K. and California are trying to ensure that as many IoT devices as possible will be out-of-the-box secure, for starters by not shipping with default passwords

FBI recommends using passphrases instead of complex passwords

Security Affairs

The FBI recommends using longer passwords composed of multiple words into a long string of at least 15 characters instead of short passwords including special characters. Which are the most secure passwords? Breaking News Security Hacking passwords Security News

Hacker leaks passwords for 900+ Pulse Secure VPN enterprise servers

Security Affairs

ZDNet reported in exclusive that a list of passwords for 900+ enterprise VPN servers has been shared on a Russian-speaking hacker forum. According to Bank Security , all the Pulse Secure VPN servers included in the list were vulnerable to the CVE-2019-11510 flaw.

GitHub Prepares to Move Beyond Passwords

Threatpost

GitHub adds support for FIDO2 security keys for Git over SSH to fend off account hijacking and further its plan to stick a fork in the security bane of passwords. Privacy Web Security

Troy Hunt on Passwords

Schneier on Security

Troy Hunt has a good essay about why passwords are here to stay, despite all their security problems: This is why passwords aren't going anywhere in the foreseeable future and why [insert thing here] isn't going to kill them. No amount of focusing on how bad passwords are or how many accounts have been breached or what it costs when people can't access their accounts is going to change that. authentication biometrics passwords