The Wages of Password Re-Use: Your Money or Your Life

Krebs on Security

When normal computer users fall into the nasty habit of recycling passwords, the result is most often some type of financial loss. Our passwords can say a lot about us, and much of what they have to say is unflattering. POOR PASSWORDS AS GOOD OPSEC?

Vulnerability in the Kaspersky Password Manager

Schneier on Security

A vulnerability (just patched) in the random number generator used in the Kaspersky Password Manager resulted in easily guessable passwords: The password generator included in Kaspersky Password Manager had several problems.

Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Nihilistic Password Security Questions

Schneier on Security

Uncategorized humor passwords security questionsPosted three years ago, but definitely appropriate for the times.

Pwned Passwords, Version 6

Troy Hunt

Today, almost one year after the release of version 5 , I'm happy to release the 6th version of Pwned Passwords. The data set has increased from 555,278,657 known compromised passwords to a grand total of 572,611,621, up 17,332,964? Pwned Passwords Have I Been Pwned

Home Assistant, Pwned Passwords and Security Misconceptions

Troy Hunt

Pwned Passwords is a repository of 613M passwords exposed in previous data breaches, which makes them very poor choices for future use. Then there's all the occasions where hackers end up controlling devices in the home network again, due to password reuse.

Password Changing After a Breach

Schneier on Security

This study shows that most people don't change their passwords after a breach, and if they do they change it to a weaker password. New passwords were on average 1.3× academicpapers breaches passwords

RockYou2021: The Mother Lode of Password Collections Leaks 8.4 Billion Passwords Online

Hot for Security

billion password entries, presumably obtained from previous data leaks and breaches. Despite the author’s claims that the document contains 82 billion passwords, researchers noted that the “actual number turned out to be nearly ten times lower – at 8,459,060,239 unique entries.”

Risks of Password Managers

Schneier on Security

Stuart Schechter writes about the security risks of using a password manager. It's a good piece, and nicely discusses the trade-offs around password managers: which one to choose, which passwords to store in it, and so on. My own Password Safe is mentioned. My particular choices about security and risk is to only store passwords on my computer -- not on my phone -- and not to put anything in the cloud. passwordsafe passwords riskassessment risks

Cracking Forgotten Passwords

Schneier on Security

It's "useful for cracking passwords you kinda-remember." You tell the program what you remember about the password and it tries related passwords. I learned about it in this article about Phil Dougherty, who helps people recover lost cryptocurrency passwords (mostly Ethereum) for a cut of the recovered value. cryptocurrency passwordsExpandpass is a string expansion program.

Pwned Passwords, Version 5

Troy Hunt

Almost 2 years ago to the day, I wrote about Passwords Evolved: Authentication Guidance for the Modern Era. Shortly after that blog post I launched Pwned Passwords with 306M passwords from previous breach corpuses. I made the data downloadable and also made it searchable via an API, except there are obvious issues with enabling someone to send passwords to me even if they're hashed as they were in that first instance. 3,768,890 passwords.

Ukraine Nabs Suspect in 773M Password ?Megabreach?

Krebs on Security

In January 2019, dozens of media outlets raised the alarm about a new “megabreach” involving the release of some 773 million stolen usernames and passwords that was breathlessly labeled “the largest collection of stolen data in history.”

Email Security, Working from Home and World Password Day

Lohrman on Security

What is the future of passwords? More urgently, how are you doing with using (or reusing) passwords now? Here are some helpful tips ahead of World Password Day on May 6

We Didn't Encrypt Your Password, We Hashed It. Here's What That Means:

Troy Hunt

The organisation involved may have contacted you and advised your password was exposed but fortunately, they encrypted it. Ah, yes, but it wasn't encrypted it was hashed and therein lies a key difference: Saying that passwords are “encrypted” over and over again doesn’t make it so.

Half a Million IoT Device Passwords Published

Schneier on Security

It's a list of easy-to-guess passwords for IoT devices on the Internet as recently as last October and November. The hacker than tried using (1) factory-set default usernames and passwords, or (2) custom, but easy-to-guess password combinations.

Do Password Managers Make You More or Less Secure?

Adam Levin

It’s World Password Day, and much like every other day of the year, the state of password security is terrible. . Despite repeated warnings from security experts and IT departments, “123456” is still the most common password for the last seven years, narrowly edging out “password.”.

Enhancing Pwned Passwords Privacy with Padding

Troy Hunt

Since launching version 2 of Pwned Passwords with the k-anonymity model just over 2 years ago now, the thing has really gone nuts (read that blog post for background otherwise nothing from here on will make much sense). Have I Been Pwned Pwned Passwords

Default Password for GPS Trackers

Schneier on Security

Many GPS trackers are shipped with the default password 123456. We just need to eliminate default passwords. gps passwords trackingMany users don't change them. This is an easy win.

LastPass: Password Manager Review for 2021

eSecurity Planet

LastPass is password management software that’s been popular among business and personal users since it was initially released in 2008. Like other password managers, LastPass provides a secure vault for your login credentials, personal documents, and other sensitive information.

Creating Security-Aware Passwords

Digital Shadows

Note: This blog is an overview of password history and best practices for individuals in honor of World Password Day, The post Creating Security-Aware Passwords first appeared on Digital Shadows. Data Leakage Initial access brokers logins passwords

Password Attacks 101

Security Boulevard

Why are password attacks like brute forcing so effective? Let’s take a look at three kinds of password attacks that present a real threat to sites and businesses of all sizes. Continue reading Password Attacks 101 at Sucuri Blog.

World Password Day, Yet Another Holiday Reminding Us We Should Really Change ‘That’ Password

Hot for Security

The Annual World Password Day painfully reminds us that the concept of people choosing their own passwords seems flawed. Thankfully, things are getting better, and password security is evolving with new tools, but the need for a World Password Day remains.

Kaseya Ransomware Attack, PrintNightmare Zero-day, Kaspersky Password Manager Vulnerability

Security Boulevard

The post Kaseya Ransomware Attack, PrintNightmare Zero-day, Kaspersky Password Manager Vulnerability appeared first on The Shared Security Show. The post Kaseya Ransomware Attack, PrintNightmare Zero-day, Kaspersky Password Manager Vulnerability appeared first on Security Boulevard.

Five worthy reads: Password hygiene – The first step towards improved security

Security Boulevard

This week let’s go back to security basics with password hygiene—the simplest, and yet often overlooked step in account security. Passwords …. The post Five worthy reads: Password hygiene – The first step towards improved security appeared first on ManageEngine Blog.

As Mobile Fraud Rises, The Password Persists

The Security Ledger

A new study released by Incognia that measures user friction in mobile financial apps yields important results about the fate of the password. The post As Mobile Fraud Rises, The Password Persists appeared first on The Security Ledger with Paul F.

Troy Hunt on Passwords

Schneier on Security

Troy Hunt has a good essay about why passwords are here to stay, despite all their security problems: This is why passwords aren't going anywhere in the foreseeable future and why [insert thing here] isn't going to kill them. No amount of focusing on how bad passwords are or how many accounts have been breached or what it costs when people can't access their accounts is going to change that. authentication biometrics passwords

Ubiquiti: Change Your Password, Enable 2FA

Krebs on Security

Ubiquiti , a major vendor of cloud-enabled Internet of Things (IoT) devices such as routers, network video recorders, security cameras and access control systems, is urging customers to change their passwords and enable multi-factor authentication. Change your password.

Gizmodo gives poor password advice

Graham Cluley

On Friday, popular tech news site Gizmodo published an article with the title: “Go Update Your Passwords Right Now”. Data loss Privacy data breach Gizmodo passwordThe problem is, it's just not good advice.

Eliminate the Password, Eliminate the Password Problem.

The Security Ledger

Weak, stolen or reused passwords are the root of 8 in 10 data breaches. Fixing the data breach problem means abandoning passwords for something more secure. Episode 163: Cyber Risk has a Dunning-Kruger Problem Also: Bad Password Habits start at Home.

FBI will share compromised passwords with HIBP Pwned Passwords

Security Affairs

The FBI is going to share compromised passwords discovered during investigations with Have I Been Pwned (HIBP)’s ‘Pwned Passwords’ service. “Feeding these passwords into HIBP gives the FBI the opportunity to do this almost 1 billion times every month.

Five steps to password policy compliance

IT Security Guru

Stealing access to your environment using a known password for a user account is a much easier way to compromise systems than relying on other vulnerabilities. What characteristics make up an effective password policy? Don’t throw away password expiry.

Passwords Advice

Adam Shostack

Bruce Marshall has put together a comparison of OWASP ASVS v3 and v4 password requirements: OWASP ASVS 3.0 & 4.0 Comparison. This is useful in and of itself, and is also the sort of thing that more standards bodies should do, by default. It’s all too common to have a new standard come out without clear diffs. It’s all too common for new standards to build closely on other standards, without clearly saying what they’ve altered and why.

Password Reuse Risk is Exacerbated by Dark Web Data

Security Boulevard

A flood of data to the dark web in the last 12 months has kicked up the cybercrime risk of password reuse. The post Password Reuse Risk is Exacerbated by Dark Web Data appeared first on Security Boulevard.

RockYou2021: Massive data leak of passwords on the dark web

Quick Heal Antivirus

The post RockYou2021: Massive data leak of passwords on the dark web appeared first on Quick Heal Blog | Latest computer security news, tips, and advice. Data breach Password #databreach #newsalert #rockyou2021 Cybersecurity Hacking passwords

Apple asks to ‘Move beyond Password’

CyberSecurity Insiders

Apple Inc, the iPhone maker from America has decided to wage a war against the use of passwords by releasing a new tech for security authentication. Dubbed as PassKeys, the new tech will eliminate the need for users to remember passwords for online service usage. .

Fintech Startup Offers $500 for Payroll Passwords

Krebs on Security

One financial startup that’s targeting the gig worker market is offering up to $500 to anyone willing to hand over the payroll account username and password given to them by their employer, plus a regular payment for each month afterwards in which those credentials still work.

Cracking the Passwords of Early Internet Pioneers

Schneier on Security

Weakest of all was the password for Unix contributor Brian W. None of the passwords included the quotation marks.). I don't remember any of my early passwords, but they probably weren't much better. historyofcomputing historyofsecurity passwordsLots of them weren't very good : BSD co-inventor Dennis Ritchie, for instance, used "dmac" (his middle name was MacAlistair); Stephen R.

Back-to-Basics: Use Strong Passwords

PCI perspectives

Today’s blog focuses on using strong passwords. As small and medium businesses begin to re-open following the pandemic, it’s important to do so securely in order to protect customer’s payment card data.

Billions of Passwords Leaked Online 

Heimadal Security

We might be witnessing the largest collection of leaked passwords of all time, as a 100GB text file leaked by a user on a popular hacker forum contains 8.4 billion passwords. The post Billions of Passwords Leaked Online appeared first on Heimdal Security Blog.

Pwned Passwords, Open Source in the.NET Foundation and Working with the FBI

Troy Hunt

Both these announcements are being made at a time where Pwned Passwords is seeing unprecedented growth: Getting closer and closer to the 1B requests a month mark for @haveibeenpwned 's Pwned Passwords.

How to review password quality in Active Directory

CSO Magazine

More applications and devices are using password repositories to check on password reuse. When you log into your iPhone for example, it now alerts you that passwords you saved in your iCloud keychain may have been reused in other places.

One in six people use pet’s name as password

We Live Security

Other common and easily hackable password choices include the names of relatives and sports teams, a UK study reveals. The post One in six people use pet’s name as password appeared first on WeLiveSecurity. Password

Passwords that have been hacked over 50,000 times

CyberSecurity Insiders

Media has been trying its best to create awareness among online users about the need to go for passwords that are difficult to guess or hack. So, Cybersecurity Insiders has brought a list of 42 passwords that have been hacked over 50,000 times in the past 2 years.

Password Manager Suffers 'Supply Chain' Attack

Dark Reading

A software update to Click Studios' Passwordstate password manager contained malware