Krebs on Security

MAY 19, 2020

In January 2019, dozens of media outlets raised the alarm about a new “megabreach” involving the release of some 773 million stolen usernames and passwords that was breathlessly labeled “the largest collection of stolen data in history.” By far the most important passwords are those protecting our email inbox(es).

Passwords 354

Passwords Accountability Hacking Password Management 354

The Last Watchdog

MAY 24, 2022

This is one giant leap towards getting rid of passwords entirely. Perhaps not coincidently, it comes at a time when enterprises have begun adopting passwordless authentication systems in mission-critical parts of their internal operations. Excising passwords as the security linchpin to digital services is long, long overdue.

Authentication 342

Authentication Passwords Banking Digital transformation 342

Schneier on Security

APRIL 1, 2022

FIDO2 multi-factor authentication systems are not susceptible to these attacks, because they are tied to a physical computer. .” Calling the target, pretending to be part of the company, and telling the target they need to send an MFA request as part of a company process.

Authentication 363

Authentication Hacking Passwords 363

Krebs on Security

SEPTEMBER 29, 2021

In February, KrebsOnSecurity wrote about a novel cybercrime service that helped attackers intercept the one-time passwords (OTPs) that many websites require as a second authentication factor in addition to passwords. An ad for the OTP interception service/bot “SMSRanger.”

Passwords 352

Passwords Mobile Authentication Banking 352

Troy Hunt

MARCH 10, 2021

Pwned Passwords is a repository of 613M passwords exposed in previous data breaches, which makes them very poor choices for future use. They're totally free and they have a really cool anonymity API that ensures no useful information about the password being searched for is ever exposed.

Passwords 346

Passwords IoT Password Management Data breaches 346

Krebs on Security

OCTOBER 13, 2021

A recent phishing campaign targeting Coinbase users shows thieves are getting cleverer about phishing one-time passwords (OTPs) needed to complete the login process. In each case, the phishers manually would push a button that caused the phishing site to ask visitors for more information, such as the one-time password from their mobile app.

Passwords 353

Passwords Phishing Accountability Mobile 353

Schneier on Security

FEBRUARY 1, 2023

This is the result of a security audit: More than a fifth of the passwords protecting network accounts at the US Department of the Interior—including Password1234, Password1234!, The audit uncovered another security weakness—the failure to consistently implement multi-factor authentication (MFA). and ChangeItN0w!—were

Passwords 279

Passwords Accountability Authentication Government 279

Troy Hunt

SEPTEMBER 9, 2021

As technology has evolved, fingers (and palms and irises and faces) have increasingly been used as a means of biometric authentication. But doesn't this all make biometrics like passwords? What happens if someone obtains, say, my fingerprint just like they may obtain my password in a data breach or a phishing attack?

Authentication 331

Authentication Passwords Data breaches Risk 331

Troy Hunt

MAY 27, 2021

Both these announcements are being made at a time where Pwned Passwords is seeing unprecedented growth: Getting closer and closer to the 1B requests a month mark for @haveibeenpwned 's Pwned Passwords. Speaking of natural fits, Pwned Passwords is perfect for this model and that's why we're starting here.

Passwords 358

Passwords Accountability Cybercrime Authentication 358

Krebs on Security

SEPTEMBER 22, 2023

The password manager service LastPass is now forcing some of its users to pick longer master passwords. But critics say the move is little more than a public relations stunt that will do nothing to help countless early adopters whose password vaults were exposed in a 2022 breach at LastPass.

Passwords 304

Passwords Encryption Password Management Cryptocurrency 304

Troy Hunt

DECEMBER 7, 2021

He's not a techie (he runs a pizza restaurant), but somehow, we ended up talking about passwords. Change the password to one 1Password automatically generates c. Obviously, he still has a heap of accounts to set decent passwords on, but now he knows the pattern and he can repeat that over and over again.

Passwords 339

Passwords Password Management Banking Accountability 339

The Last Watchdog

DECEMBER 6, 2021

For IT leaders, passwords no longer cut it. This traditional authentication method is challenging to get rid of, mostly because it’s so common. Every new account you sign up for, application you download, or device you purchase requires a password. Lowering password use. So why are they still around?

Authentication 251

Authentication Passwords Mobile Phishing 251

Krebs on Security

MAY 7, 2022

Apple , Google and Microsoft announced this week they will soon support an approach to authentication that avoids passwords altogether, and instead requires users to merely unlock their smartphones to sign in to websites or online services. “I worry about forgotten password recovery for cloud accounts.”

Passwords 262

Passwords Authentication Accountability Mobile 262

The Last Watchdog

JULY 24, 2023

Accessing vital information to complete day-to-day tasks at our jobs still requires using a password-based system at most companies. Today, bad actors are ruthlessly skilled at cracking passwords – whether through phishing attacks, social engineering, brute force, or buying them on the dark web. Some solutions do this today.

Authentication 245

Authentication Passwords Social Engineering Phishing 245

Schneier on Security

DECEMBER 27, 2023

No passcode fallback is available in the event that the user is unable to complete Face ID or Touch ID authentication. For especially sensitive actions, including changing the password of the Apple ID account associated with the iPhone, the feature adds a security delay on top of biometric authentication.

Authentication 321

Authentication Passwords Accountability 321

Krebs on Security

JUNE 19, 2020

Hundreds of popular websites now offer some form of multi-factor authentication (MFA), which can help users safeguard access to accounts when their password is breached or stolen. When the two of them sat down to reset his password, the screen displayed a notice saying there was a new Gmail address tied to his Xbox account.

Authentication 363

Authentication Accountability Passwords Mobile 363

Daniel Miessler

MARCH 10, 2022

People are starting to get the fact that texts (SMS) are a weak form of multi-factor authentication (MFA). In that post we talked about 8 levels of password security, starting from using shared and weak passwords and going all the way up to passwordless. It completely changes how authentication is done.

Authentication 364

Authentication Phishing Passwords Accountability 364

Schneier on Security

AUGUST 25, 2022

Here’s a phishing campaign that uses a man-in-the-middle attack to defeat multi-factor authentication: Microsoft observed a campaign that inserted an attacker-controlled proxy site between the account users and the work server they attempted to log into.

Phishing 346

Phishing Authentication Passwords Accountability 346

Thales Cloud Protection & Licensing

OCTOBER 11, 2024

Passwordless Authentication without Secrets! divya Fri, 10/11/2024 - 08:54 As user expectations for secure and seamless access continue to grow, the 2024 Thales Consumer Digital Trust Index (DTI) research revealed that 65% of users feel frustrated with frequent password resets.

Authentication 132

Authentication Retail Healthcare Manufacturing 132

Schneier on Security

JANUARY 9, 2024

The malware captures any PINs and passwords the victim enters to unlock their device and can later use them to unlock the device at will to perform malicious activities hidden from view.

Malware 296

Malware Banking Passwords Authentication 296

Schneier on Security

JULY 10, 2024

New attack against the RADIUS authentication protocol: The Blast-RADIUS attack allows a man-in-the-middle attacker between the RADIUS client and server to forge a valid protocol accept message in response to a failed authentication request.

Authentication 276

Authentication Passwords 276

Krebs on Security

JANUARY 21, 2022

The site says it sells “cracked” accounts, or those that used passwords which could be easily guessed or enumerated by automated tools. One example is Genesis Market , where customers can search for stolen credentials and authentication cookies from a broad range of popular online destinations.

Hacking 321

Hacking Cybercrime Passwords Authentication 321

Malwarebytes

JULY 8, 2024

On a popular hacking form, a user has leaked a file that contains 9,948,575,739 unique plaintext passwords. The list appears to be a compilation of passwords that were obtained during several old and more recent data breaches. To cybercriminals the list has some value because it contains real-world passwords.

Passwords 141

Passwords Authentication Data breaches Accountability 141

Troy Hunt

AUGUST 30, 2023

The advice to impacted individuals is as follows: Get a digital password manager to help you make all passwords strong and unique If you've been reusing passwords, change them to strong and unique versions now, starting with the most important services you use Turn on multi-factor authentication wherever it's available, especially for important (..)

Phishing 335

Phishing Password Management Passwords Banking 335

The Hacker News

OCTOBER 7, 2024

The interest in passwordless authentication has increased due to the rise of hybrid work environments and widespread digitization. While traditional password-based systems offer This has led to a greater need for reliable data security and user-friendly interfaces.

Authentication 108

Authentication Passwords Data breaches Risk 108

Krebs on Security

APRIL 6, 2021

. — rely on that number for password resets. From there, the bad guys can reset the password of any account to which that mobile number is tied, and of course intercept any one-time tokens sent to that number for the purposes of multi-factor authentication. It’s time we stopped letting everyone treat them that way.

Mobile 360

Mobile Accountability Passwords Authentication 360

Malwarebytes

MAY 16, 2024

More and more websites and services are making multi-factor-authentication (MFA) mandatory, which makes it much harder for cybercriminals to access your accounts. A type of phishing we’re calling authentication-in-the-middle is showing up in online media. Use a password manager. That’s a great thing.

Authentication 145

Authentication Phishing Password Management Scams 145

Krebs on Security

SEPTEMBER 13, 2023

USDoD claimed they grabbed the data by using passwords stolen from a Turkish airline employee who had third-party access to Airbus’ systems. By stealing these tokens, attackers can often reuse them in their own web browser, and bypass any authentication normally required for that account. Microsoft Corp. government inboxes.

Cybercrime 323

Cybercrime Passwords Authentication Malware 323

SecureList

JUNE 18, 2024

A side effect is that passwords that were impossible to guess just a few years ago can be cracked by hackers within mere seconds in 2024. For example, the RTX 4090 GPU is capable of guessing an eight-character password consisting of same-case English letters and digits, or 36 combinable characters, within just 17 seconds.

Passwords 143

Passwords Password Management Hacking Authentication 143

The Last Watchdog

MARCH 1, 2023

The IT world relies on digital authentication credentials, such as API keys, certificates, and tokens, to securely connect applications, services, and infrastructures. Related: The coming of agile cryptography These secrets work similarly to passwords, allowing systems to interact with one another.

Authentication 222

Authentication CISO Passwords Software 222

The Hacker News

MAY 7, 2024

Google on Monday announced that it's simplifying the process of enabling two-factor authentication (2FA) for users with personal and Workspace accounts. Also called, 2-Step Verification (2SV), it aims to add an extra layer of security to users' accounts to prevent takeover attacks in case the passwords are stolen.

Authentication 142

Authentication Accountability Passwords 142

Krebs on Security

MARCH 26, 2024

Several Apple customers recently reported being targeted in elaborate phishing attacks that involve what appears to be a bug in Apple’s password reset feature. “It was like this system notification from Apple to approve [a reset of the account password], but I couldn’t do anything else with my phone. .”

Passwords 362

Passwords Accountability Engineering Phishing 362

Troy Hunt

APRIL 5, 2023

In its simplest form, the illegal data marketplace has long involved the exchange of currency for personal records containing attributes such as email addresses, passwords, names, etc. We block known breached passwords. We implement two factor authentication. So, we (the good guys) adapt and build better defences.

Marketing 352

Marketing Passwords Authentication Accountability 352

WIRED Threat Level

OCTOBER 14, 2024

“Passkeys,” the secure authentication mechanism built to replace passwords, are getting more portable and easier for organizations to implement thanks to new initiatives the FIDO Alliance announced on Monday.

Passwords 141

Passwords Authentication Hacking 141

Troy Hunt

AUGUST 29, 2023

Further, the passwords from the malware will shortly be searchable in the Pwned Passwords service which can either be checked online or via the API. Pwned Passwords is presently requested 5 and a half billion times each month to help organisations prevent people from using known compromised passwords.

Malware 325

Malware Passwords Password Management Antivirus 325

Krebs on Security

NOVEMBER 19, 2021

In reality, the fraudster initiates a transaction — such as the “forgot password” feature on the financial institution’s site — which is what generates the authentication passcode delivered to the member. To combat this scam Zelle introduced out-of-band authentication with transaction details.

Scams 363

Scams Banking Passwords Authentication 363

Krebs on Security

JUNE 15, 2024

.” In a SIM-swapping attack, crooks transfer the target’s phone number to a device they control and intercept any text messages or phone calls sent to the victim — including one-time passcodes for authentication, or password reset links sent via SMS.

Hacking 311

Hacking Phishing Cybercrime Passwords 311