2018, Accountability, Blog and Password Management

The Effectiveness of Publicly Shaming Bad Security

Troy Hunt

SEPTEMBER 11, 2018

What it boiled down to was the account arguing with a journalist (pro tip: avoid arguing being a dick to those in a position to write publicly about you!) that no, you didn't just need a username and birth date to reset the account password. So I wrote a blog post. The Register wrote about it. Venture Beat wrote about it.

Media

Media Accountability Passwords Mobile

Banks, Arbitrary Password Restrictions and Why They Don't Matter

Troy Hunt

SEPTEMBER 17, 2019

That said, Westpac down in Australia certainly appears to be 6 characters: Finally thought @Westpac had upped their password game, moving from the long pointless on-screen keyboard (OSK) with a character count limit, to 'normal' password entry. troyhunt pic.twitter.com/9FMSdvVRiL — Hagen (@hagendittmer) June 3, 2018.

Banking

Banking Passwords Accountability Authentication

Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach

Krebs on Security

SEPTEMBER 5, 2023

In November 2022, the password manager service LastPass disclosed a breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users. “If you have my seed phrase, you can copy and paste that into your wallet, and then you can see all my accounts. .

Cryptocurrency

Cryptocurrency Passwords Encryption Accountability

Webinars

Reimagining Cybersecurity Training: Driving Real Impact on Security Culture

MORE WEBINARS

A Deep Dive on the Recent Widespread DNS Hijacking Attacks

Krebs on Security

FEBRUARY 18, 2019

27, 2018, Cisco’s Talos research division published a write-up outlining the contours of a sophisticated cyber espionage campaign it dubbed “ DNSpionage.” 25, 2019, when security firm CrowdStrike published a blog post listing virtually every Internet address known to be (ab)used by the espionage campaign to date.

DNS

DNS Internet Internet Government

What Is REvil Ransomware?

SiteLock

SEPTEMBER 29, 2021

Researchers and security firms have linked REvil as a strain of GandCrab, another RaaS group that was wildly popular in 2018. If REvil’s demands aren’t met, they threaten to release the stolen data by auctioning it off on its website “The Happy Blog”. Use a password manager to generate and track your passwords.

Ransomware

Ransomware Computers and Electronics Backups Passwords

LastPass: ‘Horse Gone Barn Bolted’ is Strong Password

Krebs on Security

SEPTEMBER 22, 2023

The password manager service LastPass is now forcing some of its users to pick longer master passwords. But critics say the move is little more than a public relations stunt that will do nothing to help countless early adopters whose password vaults were exposed in a 2022 breach at LastPass.

Passwords

Passwords Encryption Password Management Cryptocurrency

Top 5 Strategies for Vulnerability Mitigation

Centraleyes

DECEMBER 6, 2023

According to Purplesec, ransomware attacks have increased by 350% since 2018, zero-day attacks were up by 55% in 2021, and out of the 30 million SMBs in the USA, over 66% have had at least 1 cyber incident between 2018-2020. Vulnerability management is a critical element of information security.

Risk

Risk Cyber Risk Software Information Security

Top Cybersecurity Accounts to Follow on Twitter

eSecurity Planet

DECEMBER 3, 2021

Here are the top Twitter accounts to follow for the latest commentary, research, and much-needed humor in the ever-evolving information security space. Krebs wrote for The Washington Post between 1995 and 2009 before launching his current blog KrebsOnSecurity.com. — Jack Daniel (@jack_daniel) October 10, 2018.

Accountability

Accountability Cybersecurity Penetration Testing InfoSec

MY TAKE: COVID-19’s silver lining could turn out to be more rapid, wide adoption of cyber hygiene

The Last Watchdog

MAY 11, 2020

Rules with teeth This fast-tracking of Middle East cybersecurity regulations unfolded as the European Union was putting the finishing touches on its tough new data privacy and data handling rules, with enforcement teeth , set forth in GDPR, which took effect in May 2018. This column originally appeared on Avast Blog.).

Computers and Electronics

Computers and Electronics Data privacy Encryption Media

Have I Been Pwned is Now Partnering With 1Password

Troy Hunt

MARCH 29, 2018

That blog post had been in the works for many months before this partnership was conceived of, but I ultimately decided to get it out before this announcement to help explain my thinking. Why It Makes Sense to Partner with a Password Manager Now. I spent a few hours manually updating all passwords to all sites.

Password Management

Password Management Passwords Data breaches Retail

Microsoft Expands Passwordless Sign-on to All Accounts

eSecurity Planet

SEPTEMBER 15, 2021

Microsoft for the past few years has been among the loudest vendors calling for a security future that doesn’t include passwords. In 2018, the software giant took the step of doing away with passwords for people signing into its Edge web browser, saying instead they could use a number of alternatives. They’re inconvenient.

Accountability

Accountability Passwords Authentication Phishing

Is India's Aadhaar System Really "Hack-Proof"? Assessing a Publicly Observable Security Posture

Troy Hunt

JANUARY 10, 2018

agarwal_mohit) January 5, 2018. I think the URL is right but it seems inaccessible from other countries: [link] — Troy Hunt (@troyhunt) January 9, 2018. Security /= George blocking — Vatsalya Goel (@vatsalyagoel) January 9, 2018. They claim that they're hack-proof. Can you prove otherwise? travelling).

Hacking

Hacking Government Risk Encryption

The 773 Million Record "Collection #1" Data Breach

Troy Hunt

JANUARY 16, 2019

Checking Email Addresses and Passwords in HIBP There'll be a significant number of people that'll land here after receiving a notification from HIBP; about 2.2M Many others, over the years to come, will check their address on the site and land on this blog post when clicking in the breach description for more information.

Data breaches

Data breaches Passwords Password Management Accountability

“Have I been pwnd?”– What is it and what to do when you are pwned

Malwarebytes

MAY 19, 2021

“The only access they have is to domains that their people working in those departments could query anyway via the existing free domain search model, we’re just consolidating it all into a unified service,” Hunt wrote in a 2018 blog post about this matter. What do you do now, knowing that your account has been compromised?

Passwords

Passwords Data breaches Government Accountability

Beyond Passwords: 2FA, U2F and Google Advanced Protection

Troy Hunt

NOVEMBER 14, 2018

A few people took some of the points I made in those posts as being contentious, although on reflection I suspect it was more a case of lamenting that we shouldn't be in a position where we're still dependent on passwords and people needing to understand good password management practices in order for them to work properly.

Passwords

Passwords Authentication Accountability Mobile

Security Roundup February 2024

BH Consulting

FEBRUARY 15, 2024

Passwords: can’t live with ’em, can’t access vital online services without ’em Passwords were in the news again lately, for all the wrong reasons. LastPass, the password management service, is enforcing a 12-character minimum for master passwords to access its service.

Passwords

Passwords Surveillance Risk Data breaches

Operator at kayo.moe found a 42M Record Credential Stuffing Data ready to use

Security Affairs

SEPTEMBER 14, 2018

The attackers were likely planning to run them automatically against multiple online services and compromise user accounts. Just blogged: The 42M Record [link] Credential Stuffing Data [link]. — Troy Hunt (@troyhunt) September 13, 2018. Don’t reuse passwords! Don’t reuse passwords!

Data breaches

Data breaches Passwords Advertising Password Management

We're Baking Have I Been Pwned into Firefox and 1Password

Troy Hunt

JUNE 25, 2018

thanks @troyhunt for the excellent @haveibeenpwned service that notifies users of #privacy disasters like this :) [link] pic.twitter.com/jlqnKXteDG — Yale Privacy Lab (@YalePrivacyLab) June 4, 2018. I at least know about it, thx to @haveibeenpwned — Tim Plas (@TJPlas) June 3, 2018. ticketfly a heads up would have been nice.

Passwords

Passwords Data breaches Password Management Accountability

The Race to the Bottom of Credential Stuffing Lists; Collections #2 Through #5 (and More)

Troy Hunt

FEBRUARY 11, 2019

On reflecting over the last 3 and a half weeks, this is where we seem to be with credential stuffing lists today and I want to use this blog post to explain the thinking whilst also addressing specific questions I've had regarding Collections #2 through #5. The exposed data included email addresses and passwords stored as salted MD5 hashes.

Passwords

Passwords Data breaches Media InfoSec

Pwned Passwords in Practice: Real World Examples of Blocking the Worst Passwords

Troy Hunt

MAY 29, 2018

I followed up the first version with version 2, complete with just over half a billion passwords. But the really cool bit was the k-anonymity model devised by Cloudflare which I talk about in that blog post. When I released version 2 of Pwned Passwords, out of the blue they built it into their product. 1Password.

Passwords

Passwords Accountability Data breaches Password Management

APT trends report Q2 2021

SecureList

JULY 29, 2021

According to public blogs, targeting was widespread but focused primarily on diplomatic entities throughout Europe and North America: based on the content of the lure documents bundled with the malware, this assessment appears to be accurate. On 24 April, an incident management advisory was also released.

Malware

Malware Phishing Password Management Social Engineering

Making Light of the "Dark Web" (and Debunking the FUD)

Troy Hunt

FEBRUARY 14, 2018

— Troy Hunt (@troyhunt) February 1, 2018. Incidentally, the media piece led to a company's website which led to a request for your personal information - no free email accounts allowed - before you could read the content.). So let's start with the facts - what is the "dark web"? that's pretty much it.

Data breaches

Data breaches Passwords Marketing Hacking

Cyber Security Informer

The Effectiveness of Publicly Shaming Bad Security