Schneier on Security

JUNE 1, 2020

This study shows that most people don't change their passwords after a breach, and if they do they change it to a weaker password. Abstract: To protect against misuse of passwords compromised in a breach, consumers should promptly change affected passwords and any similar passwords on other accounts.

Passwords 225

Passwords Accountability 225

Troy Hunt

FEBRUARY 25, 2025

We've also added 244M passwords we've never seen before to Pwned Passwords and updated the counts against another 199M that were already in there. The file in the image above contained over 36 million rows of data consisting of website URLs and the email addresses and passwords entered into them.

Passwords 343

Passwords Accountability VPN Malware 343

Schneier on Security

FEBRUARY 25, 2019

There's new research on the security of password managers, speficially 1Password, Dashlane, KeePass, and Lastpass. This work specifically looks at password leakage on the host computer. That is, does the password manager accidentally leave plaintext copies of password lying around memory?

Password Management 232

Password Management Passwords Software 232

Troy Hunt

NOVEMBER 7, 2018

The first one was about HSBC disclosing a "security incident" which, upon closer inspection, boiled down to this: The security incident that HSBC described in its letter seems to fit the characteristics of brute-force password-guessing attempts, also known as a credentials stuffing attack. link] — Troy Hunt (@troyhunt) November 6, 2018.

Passwords 249

Passwords Accountability Hacking Education 249

Krebs on Security

JANUARY 6, 2020

Organizations in the throes of cleaning up after a ransomware outbreak typically will change passwords for all user accounts that have access to any email systems, servers and desktop workstations within their network. ” WHOLESALE PASSWORD THEFT. “If you want proof we have hacked T-Systems as well.

Passwords 252

Passwords Ransomware Password Management Malware 252

The Last Watchdog

MAY 26, 2021

We celebrated World Password Day on May 6, 2021. Every year, the first Thursday in May serves as a reminder for us to take control of our personal password strategies. Passwords are now an expected and typical part of our data-driven online lives. Passwords are now an expected and typical part of our data-driven online lives.

Passwords 182

Passwords Password Management Accountability Authentication 182

Schneier on Security

JULY 10, 2024

This forgery could give the attacker access to network devices and services without the attacker guessing or brute forcing passwords or shared secrets. News article. The attacker does not learn user credentials. This is one of those vulnerabilities that comes with a cool name, its own website, and a logo. Research paper.

Authentication 299

Authentication Passwords 299

Schneier on Security

JULY 2, 2021

The second is from the NSA, CISA, FBI, and the UK’s NCSC, which wrote that the GRU is continuing to conduct brute-force password guessing attacks around the world, and is in some cases successful. News article. The actor used this information in some cases to launch highly-targeted attacks as part of their broader campaign.

Hacking 363

Hacking Passwords Malware Accountability 363

CSO Magazine

AUGUST 30, 2021

Enterprise-class password managers have become one of the easiest and most cost-effective ways to help employees lock down their online accounts. As with any business software decision, the password manager discussion starts with requirements, specifically regarding features. To read this article in full, please click here

Password Management 145

Password Management Passwords CSO Accountability 145

Schneier on Security

DECEMBER 26, 2022

Last August, LastPass reported a security breach, saying that no customer information—or passwords—were compromised. These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture.

Passwords 292

Passwords Encryption Backups Password Management 292

Adam Shostack

JANUARY 2, 2025

I think the best article may be Glenn Fleishman's " AgileBits Isnt Forcing 1Password Data to Live in the Cloud ," but also worth reading are Ken White's " Who moved my cheese, 1Password? ," and " Why We Love 1Password Memberships ," by 1Password maker AgileBits. If password storage is local, there is not a fat target at Agilebits.

Password Management 130

Password Management Passwords Encryption Architecture 130

The Hacker News

SEPTEMBER 29, 2024

million) as part of a probe into a security lapse in March 2019, when the company disclosed that it had mistakenly stored users' passwords in plaintext in its systems. The investigation, launched by the DPC the next month, found that the social media giant violated four different articles under the European Union's

Passwords 144

Passwords Media 144

Schneier on Security

DECEMBER 4, 2018

There are lots of articles about there telling people how to better secure their computers and online accounts. While I agree with some of it, this article contains some particularly bad advice: 1. Create hard-to-crack 12-character passwords. It would be great if she suggested a password manager to remember them all.

Accountability 273

Accountability Passwords VPN Mobile 273

Schneier on Security

APRIL 15, 2019

The discovered flaws can be abused to recover the password of the Wi-Fi network, launch resource consumption attacks, and force devices into using weaker security groups. WPA3-Personal), where one password is shared among all users. News article. Our side-channel attacks target the protocol's password encoding method.

Passwords 277

Passwords Authentication 277

The Hacker News

MARCH 24, 2025

If given the choice, most users are likely to favor a seamless experience over complex security measures, as they dont prioritize strong password security. By implementing the right best practices and tools, you can strike a balance between robust password security and a frictionless user experience (UX). This article

Passwords 101

Passwords 101

Malwarebytes

JANUARY 6, 2022

Credential stuffing is the automated injection of stolen username and password pairs in to website login forms, in order to fraudulently gain access to user accounts. Besides listening to us telling you that you should not reuse passwords across multiple platforms, there are some other thing you can do. Start using a password manager.

Passwords 145

Passwords Accountability Identity Theft Password Management 145

CyberSecurity Insiders

OCTOBER 13, 2021

Problems arise for businesses when they base their access management programs entirely around passwords, however. Such programs overlook the burden that passwords can cause to users as well as to IT and security teams. Passwords: An unsustainable business cost. Users have too many passwords to remember on their own.

Passwords 141

Passwords Accountability Data breaches Authentication 141

Schneier on Security

MARCH 14, 2023

From Brian Krebs : A Croatian national has been arrested for allegedly operating NetWire, a Remote Access Trojan (RAT) marketed on cybercrime forums since 2012 as a stealthy way to spy on infected systems and siphon passwords. The article details the mistakes that led to the person’s address.

Cybercrime 270

Cybercrime Marketing Passwords Spyware 270

The Hacker News

SEPTEMBER 1, 2023

Surprisingly, one of the most potent weapons in their arsenal is not malicious code but simply stolen or weak usernames and passwords. This article explores the seriousness of compromised credentials, the challenges they present to security solutions, and the

Passwords 136

Passwords Cyber threats Security Defenses Malware 136

eSecurity Planet

MARCH 8, 2022

The average internet user has somewhere around 100 accounts, according to NordPass research, meaning they have to track 100 different passwords or risk using the same one over and over. Users can share password files securely with encrypted transmissions. Vault health reports Directory sync Secure password sharing. Key Features.

Password Management 132

Password Management Passwords Encryption Accountability 132

Malwarebytes

NOVEMBER 29, 2023

A new study that examines the current state of password policies across the internet shows that many of the most popular websites allow users to create weak passwords. For the Georgia Tech study , the researchers designed an algorithm that automatically determined a website’s password policy.

Passwords 135

Passwords Password Management Authentication Internet 135

Security Affairs

AUGUST 24, 2022

The streaming media platform Plex is urging its users to reset passwords after threat actors gained access to its database. Exposed data includes emails, usernames, and encrypted passwords. The company is urging all users to immediately reset account passwords and log out of all devices connected to its service.

Data breaches 132

Data breaches Passwords Media Accountability 132

eSecurity Planet

NOVEMBER 6, 2024

Don’t forget: You can read the full article on eSecurity Planet. Though cookies themselves don’t steal passwords, they can be hijacked to access sensitive data. Adopt Strong Password Policies Promote the use of strong, unique passwords and enforce regular password updates. What Are Cookies?

Identity Theft 111

Identity Theft Passwords Phishing Accountability 111

Daniel Miessler

MAY 14, 2020

I wrote an article recently on how to secure your home network in three different tiers of protection. Use unique, strong passwords, and store them in a password manager. Many people get hacked from having guessable or previously compromised passwords. These are the diet and exercise of the computer safety world.

Risk 345

Risk Passwords Password Management Accountability 345

Schneier on Security

AUGUST 24, 2020

This week Stuart Schechter, a computer scientist at the University of California, Berkeley, is launching DiceKeys, a simple kit for physically generating a single super-secure key that can serve as the basis for creating all the most important passwords in your life for years or even decades to come. Another news article.

Passwords 251

Passwords Cryptocurrency Password Management Authentication 251

Troy Hunt

APRIL 10, 2020

this was just super good fun, it's now all hooked up to Alexa too) Pwned Passwords is getting bigger and bigger (more than half a billion queries in a month now) I hate spam and I hate being asked to link to spammy articles (but I love the outcome of this blog post!) References We built a Nerf Gun wall!

Passwords 302

Passwords 302

The Last Watchdog

MARCH 24, 2022

It can be a real hassle to keep track of the passwords you use. So many people use the same combination of username and password for every account. You see, these days, many data breaches could be traced back to people using the same password across multiple accounts. And finding that password is even easier.

Passwords 133

Passwords Password Management Banking Accountability 133

Graham Cluley

MARCH 20, 2024

Are you using the same passwords in multiple places online? Read more in my article on the Hot for Security blog. Well, stop. Stop right now. And make sure that you've told your friends and family to stop being reckless too.

Passwords 110

Passwords Hacking Data breaches Phishing 110

Krebs on Security

SEPTEMBER 19, 2024

Those who clicked the link for details were asked to distinguish themselves from bots by pressing a combination of keyboard keys that causes Microsoft Windows to download password-stealing malware. Executing this series of keypresses prompts the built-in Windows Powershell to download password-stealing malware.

Phishing 325

Phishing Scams Malware Passwords 325

Security Boulevard

APRIL 2, 2025

Threat actors can gain elevated privileges by exploiting weak password policies and misconfiguration, which further results in lateral movement and deeper network compromise. In this article, we will learn about the harm that Kerberoasting causes, also its impact [] The post How to Prevent Kerberoasting Attacks?

Passwords 59

Passwords Accountability Network Security 59

Krebs on Security

JULY 23, 2018

Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes, the company told KrebsOnSecurity. A YubiKey Security Key made by Yubico. a mobile device). a mobile device).

Phishing 241

Phishing Authentication Mobile Passwords 241

CSO Magazine

MARCH 28, 2023

Authentication-related attacks grew in 2022, taking advantage of outdated, password-based authentication systems, according to a study commissioned by HYPR, a passwordless multifactor authentication (MFA) provider based in the US. To read this article in full, please click here

Authentication 109

Authentication Passwords Marketing Phishing 109

Troy Hunt

MARCH 29, 2018

The penny first dropped for me just over 7 years ago to the day: The only secure password is the one you can't remember. In an era well before the birth of Have I Been Pwned (HIBP), I was doing a bunch of password analysis on data breaches and wouldn't you know it - people are terrible at creating passwords! Everywhere.

Password Management 273

Password Management Passwords Data breaches Retail 273

Schneier on Security

JANUARY 31, 2019

They could manipulate everything and even change users' emails/passwords to lock them out of their watch. News article. This means that an attacker could get full access to all account information and all watch information. They could view any user of the system and any device on the system, including its location.

Passwords 263

Passwords Accountability 263

Krebs on Security

MARCH 16, 2021

From there, the attacker can reset the password of any account which uses that phone number for password reset links. Any online accounts that you value should be secured with a unique and strong password, as well the most robust form of multi-factor authentication available.

Telecommunications 363

Telecommunications Mobile Accountability Wireless 363

Schneier on Security

FEBRUARY 3, 2021

New estimates are that 30% of the SolarWinds victims didn’t use SolarWinds: Many of the attacks gained initial footholds by password spraying to compromise individual email accounts at targeted organizations. The New York Times has repeated this attribution — a good article that also discusses the magnitude of the attack.)

Computers and Electronics 363

Computers and Electronics Malware Software Government 363

Adam Levin

JULY 10, 2020

A recent article released by cybersecurity and antivirus firm Bitdefender shows that 8.4 Quidd (4 million records): An archive of 4 million usernames, email addresses, and hashed passwords from online marketplace Quidd were found online following an April data breach. Marriott (5.2

Data breaches 252

Data breaches Social Engineering Antivirus Scams 252