The Wages of Password Re-Use: Your Money or Your Life

Krebs on Security

When normal computer users fall into the nasty habit of recycling passwords, the result is most often some type of financial loss. Our passwords can say a lot about us, and much of what they have to say is unflattering. POOR PASSWORDS AS GOOD OPSEC?

“Change Password”

Schneier on Security

Oops : Instead of telling you when it’s safe to cross the street, the walk signs in Crystal City, VA are just repeating ‘CHANGE PASSWORD.’

Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Open Source Pwned Passwords with FBI Feed and 225M New NCA Passwords is Now Live!

Troy Hunt

In the last month, there were 1,260,000,000 occasions where a service somewhere checked a password against Have I Been Pwned's (HIBP's) Pwned Password API. It looks like this: There are all sorts of amazing Pwned Passwords use cases out there.

Vulnerability in the Kaspersky Password Manager

Schneier on Security

A vulnerability (just patched) in the random number generator used in the Kaspersky Password Manager resulted in easily guessable passwords: The password generator included in Kaspersky Password Manager had several problems.

Nihilistic Password Security Questions

Schneier on Security

Uncategorized humor passwords security questionsPosted three years ago, but definitely appropriate for the times.

Password Security

Security Through Education

Password security is extremely important. And how much do we really know about password security? LastPass wrote a very interesting article on the Psychology of Passwords. Password Education. In addition to these figures, people tend to reuse passwords.

Pwned Passwords, Version 6

Troy Hunt

Today, almost one year after the release of version 5 , I'm happy to release the 6th version of Pwned Passwords. The data set has increased from 555,278,657 known compromised passwords to a grand total of 572,611,621, up 17,332,964? Pwned Passwords Have I Been Pwned

How Coinbase Phishers Steal One-Time Passwords

Krebs on Security

A recent phishing campaign targeting Coinbase users shows thieves are getting cleverer about phishing one-time passwords (OTPs) needed to complete the login process. com — password-reset[.]com

Home Assistant, Pwned Passwords and Security Misconceptions

Troy Hunt

Pwned Passwords is a repository of 613M passwords exposed in previous data breaches, which makes them very poor choices for future use. Then there's all the occasions where hackers end up controlling devices in the home network again, due to password reuse.

Why I Hate Password Rules

Schneier on Security

It was financial in nature, which means it gets one of my most secure passwords. I used PasswordSafe to generate this 16-character alphanumeric password: :s^Twd.J;3hzg=Q~. Which was rejected by the site, because it didn’t meet their password security rules.

Unbiased CyberGhost Password Manager Review

SecureBlitz

For this CyberGhost Password Manager review, we will be exploring its features, customer support, and pricing. How do you keep up with remembering long passwords? With the CyberGhost Password Manager, you get to ditch your sticky notes and not worry about remembering passwords ever.

World Password Day – the 1960s just called and gave you your passwords back

Naked Security

Yes, passwords are going away. So it's still worth knowing the basics of picking proper passwords. Privacy #PasswordDay #WorldPasswordDay cybersecurity passwordsNo, it won't happen tomorrow.

Password Changing After a Breach

Schneier on Security

This study shows that most people don't change their passwords after a breach, and if they do they change it to a weaker password. New passwords were on average 1.3× academicpapers breaches passwords

Keeper vs 1Password: Compare Password Managers

eSecurity Planet

Even using a password with special characters, numbers, and both upper and lower case letters, an attacker can crack an eight-character password in as little as 39 minutes with brute force attacks. High-strength password generator Secure password sharing 24/7 support.

Bitwarden vs 1Password: Compare Top Password Managers

eSecurity Planet

The average internet user has somewhere around 100 accounts, according to NordPass research, meaning they have to track 100 different passwords or risk using the same one over and over. Users can share password files securely with encrypted transmissions.

Risks of Password Managers

Schneier on Security

Stuart Schechter writes about the security risks of using a password manager. It's a good piece, and nicely discusses the trade-offs around password managers: which one to choose, which passwords to store in it, and so on. My own Password Safe is mentioned. My particular choices about security and risk is to only store passwords on my computer -- not on my phone -- and not to put anything in the cloud. passwordsafe passwords riskassessment risks

Proposed UK Law Bans Default Passwords

Schneier on Security

Following California’s lead, a new UK law would ban default passwords in IoT devices

Ukraine Nabs Suspect in 773M Password ?Megabreach?

Krebs on Security

In January 2019, dozens of media outlets raised the alarm about a new “megabreach” involving the release of some 773 million stolen usernames and passwords that was breathlessly labeled “the largest collection of stolen data in history.”

I Wanna Go Fast: How Many Pwned Password Queries Can You Make Per Second?

Troy Hunt

There's a time and a place for going fast, and there's no better place to do that than when querying Have I Been Pwned's Pwned Passwords service. (Ok, What happens if you want to check millions of passwords? Pwned Passwords Have I Been Pwned

Cracking Forgotten Passwords

Schneier on Security

It's "useful for cracking passwords you kinda-remember." You tell the program what you remember about the password and it tries related passwords. I learned about it in this article about Phil Dougherty, who helps people recover lost cryptocurrency passwords (mostly Ethereum) for a cut of the recovered value. cryptocurrency passwordsExpandpass is a string expansion program.

Half a Million IoT Passwords Leaked

Schneier on Security

The hacker then tried using (1) factory-set default usernames and passwords, or (2) custom, but easy-to-guess password combinations. Default passwords? dataloss internetofthings leaks passwords

Microsoft says to ditch passwords all together on World Password Day  

CyberSecurity Insiders

World Password Day is celebrated in May every year and is being done since 2013 as a group of Cybersecurity Professionals declared the first Thursday of May every year as the day to celebrate as the security day of our online lives. Data Security Microsoft World Password Day

World Password Day 2022: Poor Password Practices Can be Costly

Security Boulevard

Biometric identification may be the way of the future, but don’t be mistaken, passwords remain most practical in the […]. The post World Password Day 2022: Poor Password Practices Can be Costly appeared first on BlackCloak | Protect Your Digital Life™.

Pwned Passwords, Version 5

Troy Hunt

Almost 2 years ago to the day, I wrote about Passwords Evolved: Authentication Guidance for the Modern Era. Shortly after that blog post I launched Pwned Passwords with 306M passwords from previous breach corpuses. I made the data downloadable and also made it searchable via an API, except there are obvious issues with enabling someone to send passwords to me even if they're hashed as they were in that first instance. 3,768,890 passwords.

A Password Manager Isn't Just for Christmas, It's for Life (So Here's 50% Off!)

Troy Hunt

He's not a techie (he runs a pizza restaurant), but somehow, we ended up talking about passwords. Change the password to one 1Password automatically generates c. 1Password PasswordsI was having a coffee with a good mate the other day.

NIST Password Guidelines 2021: Challenging Traditional Password Management

Security Boulevard

In 2017, the National Institute of Standards and Technology (NIST) released NIST Special Publication 800-63B Digital Identity Guidelines to help organizations properly comprehend and address risk as it relates to password management on the part of end users.

Half a Million IoT Device Passwords Published

Schneier on Security

It's a list of easy-to-guess passwords for IoT devices on the Internet as recently as last October and November. The hacker than tried using (1) factory-set default usernames and passwords, or (2) custom, but easy-to-guess password combinations.

RockYou2021: The Mother Lode of Password Collections Leaks 8.4 Billion Passwords Online

Hot for Security

billion password entries, presumably obtained from previous data leaks and breaches. Despite the author’s claims that the document contains 82 billion passwords, researchers noted that the “actual number turned out to be nearly ten times lower – at 8,459,060,239 unique entries.”

World Password Day: Why we need a password-less future

Security Boulevard

If you’ve read part one, you’ll know that there’s a persistent problem with passwords. Despite the continued warnings, data breaches and endless guidance – weak and easily hackable passwords still guard a sobering number of online accounts and identities.

Your Phone May Soon Replace Many of Your Passwords

Krebs on Security

Apple , Google and Microsoft announced this week they will soon support an approach to authentication that avoids passwords altogether, and instead requires users to merely unlock their smartphones to sign in to websites or online services.

Default Password for GPS Trackers

Schneier on Security

Many GPS trackers are shipped with the default password 123456. We just need to eliminate default passwords. gps passwords trackingMany users don't change them. This is an easy win.

NVIDIA staff shouldn’t have chosen passwords like these…

Graham Cluley

Last month, the LAPSUS$ hacking group stole up to one terabyte of internal data, including hashed passwords, from graphics card maker NVIDIA. Data loss data breach LAPSUS$ NVIDIA password

FBI will share compromised passwords with HIBP Pwned Passwords

Security Affairs

The FBI is going to share compromised passwords discovered during investigations with Have I Been Pwned (HIBP)’s ‘Pwned Passwords’ service. “Feeding these passwords into HIBP gives the FBI the opportunity to do this almost 1 billion times every month.

Enhancing Pwned Passwords Privacy with Padding

Troy Hunt

Since launching version 2 of Pwned Passwords with the k-anonymity model just over 2 years ago now, the thing has really gone nuts (read that blog post for background otherwise nothing from here on will make much sense). Have I Been Pwned Pwned Passwords

World Password Day is Dead. Long Live World Password Day!

Security Boulevard

After chatting with the owner and petting the resident store dog, I took a few guesses at the password protecting these computers. The post World Password Day is Dead. Long Live World Password Day! The post World Password Day is Dead. Long Live World Password Day!

We Didn't Encrypt Your Password, We Hashed It. Here's What That Means:

Troy Hunt

The organisation involved may have contacted you and advised your password was exposed but fortunately, they encrypted it. Ah, yes, but it wasn't encrypted it was hashed and therein lies a key difference: Saying that passwords are “encrypted” over and over again doesn’t make it so.

Why VPNs and Passwords Aren’t Enough

Security Boulevard

Take passwords, for instance. While few would argue against the necessity of choosing a strong password, many companies and employees continue to ignore best practices in password creation—or perhaps they are simply unaware of what this requires.

Troy Hunt on Passwords

Schneier on Security

Troy Hunt has a good essay about why passwords are here to stay, despite all their security problems: This is why passwords aren't going anywhere in the foreseeable future and why [insert thing here] isn't going to kill them. No amount of focusing on how bad passwords are or how many accounts have been breached or what it costs when people can't access their accounts is going to change that. authentication biometrics passwords

5 ways hackers steal passwords (and how to stop them)

We Live Security

From social engineering to looking over your shoulder, here are some of the most common tricks that bad guys use to steal passwords. The post 5 ways hackers steal passwords (and how to stop them) appeared first on WeLiveSecurity. Password

Netflix bans password sharing to cut misuse

CyberSecurity Insiders

Netflix, which is struggling to keep its profits margin intact for the past few quarters, has finally banned the password-sharing activity among its users. Earlier, one subscriber used to pay for the premium service and used to share that single password with near and dear.

Study reveals top 200 most common passwords

Security Affairs

The annual study on top-used passwords published by Nordpass revealed that we are still using weak credentials that expose us to serious risks. Nordpass has published its annual report, titled “Top 200 most common passwords,” on the use of passwords.

Ubisoft changes employee passwords after “cyber security incident”

Graham Cluley

Video game company Ubisoft, maker of hit titles like Assassin’s Creed and Just Dance says that it has “experienced a cyber security incident” - and as a consequence is changing its employees' passwords. Data loss data breach password Ubisoft video game

World Password Day is Dead. Long Live World Password Day!

The State of Security

After chatting with the owner and petting the resident store dog, I took a few guesses at the password protecting these computers. The post World Password Day is Dead. Long Live World Password Day!