Authentication, Passwords and Risk - Cyber Security Informer

On Risk-Based Authentication

Schneier on Security

OCTOBER 5, 2020

Interesting usability study: “ More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-based Authentication “: Abstract : Risk-based Authentication (RBA) is an adaptive security measure to strengthen password-based authentication. Paper’s website.

Authentication

Authentication Risk Passwords

Passwordless Authentication without Secrets!

Thales Cloud Protection & Licensing

OCTOBER 11, 2024

Passwordless Authentication without Secrets! divya Fri, 10/11/2024 - 08:54 As user expectations for secure and seamless access continue to grow, the 2024 Thales Consumer Digital Trust Index (DTI) research revealed that 65% of users feel frustrated with frequent password resets.

Authentication

Authentication Retail Healthcare Manufacturing

A large botnet targets M365 accounts with password spraying attacks

Security Affairs

FEBRUARY 24, 2025

A botnet of 130,000+ devices is attacking Microsoft 365 accounts via password-spraying, bypassing MFA by exploiting basic authentication. SecurityScorecard researchers discovered a botnet of over 130,000 devices that is conducting password-spray attacks against Microsoft 365 (M365) accounts worldwide.

Passwords

Passwords Accountability Authentication Malware

Webinars

How to Avoid Pitfalls In Automation: Keep Humans In the Loop

MORE WEBINARS

On world password day, Microsoft says fewer passwords, more passkeys

Malwarebytes

MAY 2, 2025

If there is a cybersecurity themed day that we would like to get rid as soon as possible its world password day. To quote Microsoft : As the world shifts from passwords to passkeys, were excited to join the FIDO Alliance in leaving World Password Day behind to celebrate the very first World Passkey Day.

Passwords

Passwords Password Management Authentication Accountability

CASMM (The Consumer Authentication Strength Maturity Model)

Daniel Miessler

MARCH 24, 2021

Basically, how secure is someone’s current behavior with respect to passwords and authentication, and what can they do to improve? The idea here is for someone in the security community—or really any security-savvy user—to use this visual to help someone with poor password hygiene. How to use this model.

Authentication

Authentication Passwords Internet Internet

Hunting SMB Shares, Again! Charts, Graphs, Passwords & LLM Magic for PowerHuntShares 2.0

NetSpi Technical

NOVEMBER 14, 2024

It focuses on distilling data related to shares configured with excessive privileges to better understand their relationships and risk. Open cmd.exe and execute PowerShell or PowerShell ISE using the runas command so that network communication authenticates using a provided set of domain credentials. Is the share writable?

Passwords

Passwords Risk Data collection Backups

Why World Password Day Is a Perfect Reminder to Up Your Security Game

SecureWorld News

MAY 1, 2025

As we celebrate World Password Day on May 1st, it's clear that traditional password trickslike swapping "a" with "@" or adding an exclamation point at the endare no longer fooling hackers. Hackers today can guess common patterns and character swaps in mere seconds, leaving those "clever" passwords vulnerable.

Passwords

Passwords Password Management Authentication Mobile

10 Behaviors That Will Reduce Your Risk Online

Daniel Miessler

MAY 14, 2020

What follows is a set of basic security hygiene steps that will significantly reduce your risk online. Use unique, strong passwords, and store them in a password manager. Many people get hacked from having guessable or previously compromised passwords. Enable two-factor authentication on all critical accounts.

Risk

Risk Passwords Password Management Accountability

Your Phone May Soon Replace Many of Your Passwords

Krebs on Security

MAY 7, 2022

Apple , Google and Microsoft announced this week they will soon support an approach to authentication that avoids passwords altogether, and instead requires users to merely unlock their smartphones to sign in to websites or online services. “I worry about forgotten password recovery for cloud accounts.”

Passwords

Passwords Authentication Accountability Mobile

GUEST ESSAY: How the FIDO Alliance helps drive the move to passwordless authentication

The Last Watchdog

DECEMBER 6, 2021

For IT leaders, passwords no longer cut it. This traditional authentication method is challenging to get rid of, mostly because it’s so common. Every new account you sign up for, application you download, or device you purchase requires a password. Lowering password use. So why are they still around?

Authentication

Authentication Passwords Mobile Phishing

GUEST ESSAY: Until we eliminate passwords, follow these 4 sure steps to password hygiene

The Last Watchdog

NOVEMBER 22, 2021

Until biometrics or a quantum solution change our everyday approach to encryption, passwords remain our first line of defense against data breaches, hackers, and thieves. Proper password hygiene doesn’t require a degree in rocket science. 1) Create sufficiently-complex passwords. But simpler passwords are much easier to hack.

Passwords

Passwords Password Management Accountability Data breaches

Passwords in the age of AI: We need to find alternatives

Malwarebytes

MAY 8, 2025

For decades, passwords have been our default method for keeping online accounts safe. A team at Cybernews conducted a study of over 19 billion newly exposed passwords which showed were looking at a a widespread epidemic of weak password reuse. Does that make the password obsolete? But our opponents have.

Passwords

Passwords Artificial Intelligence Identity Theft Password Management

How Spread Betting Platforms Safeguard Traders Against Cyber Risks

IT Security Guru

JANUARY 30, 2025

So, lets explore how spread betting platforms are rising to this challenge and ensuring that their platforms are cyber risk-free. Cyber Risks Facing Spread Betting Platforms Cyber threats are becoming more dangerous than ever, and spread betting platforms are a major target for most of these cyberattacks. Thats true. Enable 2FA.

Cyber Risk

Cyber Risk Risk Penetration Testing Accountability

Phishing evolves beyond email to become latest Android app threat

Malwarebytes

FEBRUARY 11, 2025

Of those malicious apps, 5,200 could subvert one of the strongest security practices available today, called multifactor authentication, by prying into basic text messages sent to a device. They dont crack into password managers or spy on passwords entered for separate apps.

Phishing

Phishing Passwords Mobile Authentication

GUEST ESSAY: Understanding the security limits of the static and dynamic passwords we rely on

The Last Watchdog

JANUARY 31, 2022

We all rely on passwords. For better or worse, we will continue to use passwords to access our computing devices and digital services for years to come. Related : The coming of password-less access. Passwords were static to begin with. They have since been modified in two directions: biometrics and dynamic passwords.

Passwords

Passwords Computers and Electronics Password Management Artificial Intelligence

Turn on MFA Before Crooks Do It For You

Krebs on Security

JUNE 19, 2020

Hundreds of popular websites now offer some form of multi-factor authentication (MFA), which can help users safeguard access to accounts when their password is breached or stolen. When the two of them sat down to reset his password, the screen displayed a notice saying there was a new Gmail address tied to his Xbox account.

Authentication

Authentication Accountability Passwords Mobile

Risk reduction redefined: How compromise assessment helps strengthen cyberdefenses

SecureList

OCTOBER 29, 2024

The primary objective of these services is risk reduction. Policy violations by employees Most organizations focus on external threats; however, policy violations pose a major risk , with 51% of SMB incidents and 43% of enterprise incidents involving IT security policy violations caused by employees.

Risk

Risk Antivirus Accountability Malware

Predatory app downloaded 100,000 times from Google Play Store steals data, uses it for blackmail

Malwarebytes

FEBRUARY 25, 2025

If you find an app from this family or another information stealer on your device, there are a few guidelines to follow to limit the damage: Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you dont use for anything else. Enable two-factor authentication (2FA).

Passwords

Passwords Password Management Phishing Authentication

Crooks bank on Microsoft’s search engine to phish customers

Malwarebytes

NOVEMBER 4, 2024

In this blog post, we take a look at how criminals are abusing Bing and stay under the radar at the same time while also bypassing advanced security features such as two-factor authentication. Once a victim types their user ID and password, criminals will receive the data immediately.

Engineering

Engineering Phishing Banking Authentication

Video: How Hackers Steal Your Cookies & How to Stop Them

eSecurity Planet

NOVEMBER 6, 2024

Though cookies themselves don’t steal passwords, they can be hijacked to access sensitive data. They could even conceal dangerous malware in photos or links on secure websites you visit, and a single click can activate the code, even overcoming multifactor authentication. Cookies track users with unique IDs. How Do You Prevent It?

Identity Theft

Identity Theft Passwords Phishing Accountability

Strengthen your digital defenses on World Password Day

Webroot

APRIL 30, 2025

In todays digital world, passwords have become a necessary part of life. May 1, 2025, is World Password Day , a reminder that passwords are the unsung heroes of cybersecurity, the first line of defense for all your sensitive personal data. World Password Day is more relevant than ever in todays evolving threat landscape.

Passwords

Passwords Password Management Malware Accountability

Warning: Hackers could take over your email account by stealing cookies, even if you have MFA

Malwarebytes

NOVEMBER 5, 2024

The Federal Bureau of Investigation (FBI) has issued a warning that cybercriminals are taking over email accounts via stolen session cookies, allowing them to bypass the multi-factor authentication (MFA) a user has set up. Is convenience worth the risk in this situation? Here’s how it works. There are several ways.

Accountability

Accountability Authentication Malware Banking

Internet Archive was breached twice in a month

Security Affairs

OCTOBER 21, 2024

The Internet Archive was breached again, attackers hacked its Zendesk email support platform through stolen GitLab authentication tokens. Poor cyber hygiene increases the risk of further data breaches and could undermine user trust. Hunt also verified the authenticity of the information included in the stolen archive.

Internet

Internet Internet Data breaches Authentication

When Security Locks You Out of Everything

Schneier on Security

JUNE 28, 2022

Thought experiment story of someone of someone who lost everything in a house fire, and now can’t log into anything: But to get into my cloud, I need my password and 2FA. To get my passwords, I need my 2FA. To get my 2FA, I need my passwords. So which is the bigger risk? I am in cyclic dependency hell. Code is law.

Passwords

Passwords Password Management Backups Risk

Fake Booking.com phish uses fake CAPTCHAs to trick hotel staff into downloading malware

Malwarebytes

MARCH 26, 2025

However, there are a few things you can do to lower your risk. Use a different password for every online account. Choose a strong password that you dont use for anything else. Better yet, let a password manager choose one for you. Enable two-factor authentication (2FA). Not in your browser, not on websites.

Phishing

Phishing Malware Passwords Password Management

Employee monitoring app exposes users, leaks 21+ million screenshots

Malwarebytes

APRIL 28, 2025

This incident echoes a previous Cybernews investigation that found WebWork, another remote team tracker, leaked over 13 million screenshots containing emails, passwords, and other sensitive work data. Change the passwords that may have been seen. You can make a stolen password useless to thieves by changing it.

Passwords

Passwords Phishing Spyware Password Management

Warning over free online file converters that actually install malware

Malwarebytes

MARCH 17, 2025

Other passwords and session tokens that could allow the scammers to bypass multi-factor authentication (MFA). By using one of these online converters you could be at risk of getting infected with ransomware or enable criminals to steal your data or identity in full. Email addresses. Imageconvertors[.]com

Malware

Malware Adware Education Phishing

GUEST ESSAY: Best practices to shrink the ever-present risk of Exchange Server getting corrupted

The Last Watchdog

FEBRUARY 5, 2024

One critical issue faced by organizations that rely on Exchange Server is the risk of a corrupt Exchange Server database cropping up. Navigating new risks Today, heavy reliance on cloud-centric IT infrastructure and cloud-hosted applications has become the norm. Here are a few ‘dos:’ •Rigorous vulnerability management.

Risk

Risk Backups Software Education

Phishing-Resistant MFA: Why FIDO is Essential

Thales Cloud Protection & Licensing

MAY 7, 2025

Traditional Multi-Factor Authentication (MFA), while a step up from password-only security, is no longer enough to fight modern phishing schemes. As malefactors hone their methods, entities must adopt phishing-resistant multi-factor authentication to secure their digital identities.

Phishing

Phishing Authentication Passwords Social Engineering

City of Columbus breach affects around half a million citizens

Malwarebytes

NOVEMBER 4, 2024

Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you. Enable two-factor authentication (2FA). 2FA that relies on a FIDO2 device can’t be phished.

Data breaches

Data breaches Passwords Ransomware Phishing

FBI, Dutch Police Disrupt ‘Manipulaters’ Phishing Gang

Krebs on Security

JANUARY 31, 2025

DomainTools also uncovered evidence that the computers used by The Manipulaters were all infected with the same password-stealing malware, and that vast numbers of credentials were stolen from the group and sold online. ” Police in The Netherlands said the investigation into the owners and customers of the service is ongoing.

Phishing

Phishing Cybercrime Advertising Malware

How to Protect Your Gmail Password: Top Tips for Maximum Security

Hacker's King

DECEMBER 28, 2024

A compromised password can lead to identity theft and data breaches. To safeguard your Gmail password, you need to adopt a few best practices that will enhance your accounts security and keep cyber threats at bay. If hackers gain access to your Gmail password , they could potentially compromise these connected services too.

Passwords

Passwords Identity Theft Accountability Data breaches

The DeepSeek controversy: Authorities ask where does the data come from and how safe is it?

Malwarebytes

JANUARY 30, 2025

No authentication was required, so anybody that stumbled over the database was able to run queries to retrieve sensitive logs and actual plaintext chat messages, and even to steal plaintext passwords and local files. Needless to say, this oversight put DeepSeek and its users at risk.

Artificial Intelligence

Artificial Intelligence Risk Marketing Passwords

Exposed HMIs: A Direct Pathway for Cyberattacks on Critical Infrastructure

SecureWorld News

DECEMBER 17, 2024

government is sounding the alarm on a growing cybersecurity risk for critical infrastructureinternet-exposed Human-Machine Interfaces (HMIs). Failure to do so could allow malicious actors to disrupt operations, alter critical processes, and endanger public health and safety What Are HMIs and Why Are They at Risk?

Internet

Internet Internet Risk Passwords

Grubhub Suffers Data Breach in Third-Party Vendor Incident

SecureWorld News

FEBRUARY 6, 2025

Grubhub recently confirmed a data breach stemming from a third-party vendor, exposing the ongoing risks associated with supply chain security. While these measures contained the incident, the breach underscores the risks inherent in outsourcing critical functions to external vendors. What data was compromised?

Data breaches

Data breaches Accountability Social Engineering Passwords

‘RockYou2024’: Nearly 10 billion passwords leaked online

Malwarebytes

JULY 8, 2024

On a popular hacking form, a user has leaked a file that contains 9,948,575,739 unique plaintext passwords. The list appears to be a compilation of passwords that were obtained during several old and more recent data breaches. To cybercriminals the list has some value because it contains real-world passwords.

Passwords

Passwords Authentication Data breaches Accountability

GUEST ESSAY: Why CISOs absolutely must take authentication secrets much more seriously

The Last Watchdog

MARCH 1, 2023

The IT world relies on digital authentication credentials, such as API keys, certificates, and tokens, to securely connect applications, services, and infrastructures. Related: The coming of agile cryptography These secrets work similarly to passwords, allowing systems to interact with one another.

Authentication

Authentication CISO Passwords Software

RockYou2024: The Largest Password Compilation (10 Billion) Ever Leaked

SecureWorld News

JULY 8, 2024

Online identities continue to be at risk of vulnerabilities. Case in point: a colossal password compilation dubbed "RockYou2024" has emerged, containing nearly 10 billion unique passwords. To put the magnitude of this leak into perspective, RockYou2024 contains nearly 10 billion unique passwords.

Passwords

Passwords Password Management Education Accountability

Seized Genesis Market Data is Now Searchable in Have I Been Pwned, Courtesy of the FBI and "Operation Cookie Monster"

Troy Hunt

APRIL 5, 2023

In its simplest form, the illegal data marketplace has long involved the exchange of currency for personal records containing attributes such as email addresses, passwords, names, etc. We block known breached passwords. We implement two factor authentication. So, we (the good guys) adapt and build better defences.

Marketing

Marketing Passwords Authentication Accountability

Scammers can easily phish your multi-factor authentication codes. Here’s how to avoid it

Malwarebytes

MAY 16, 2024

More and more websites and services are making multi-factor-authentication (MFA) mandatory, which makes it much harder for cybercriminals to access your accounts. A type of phishing we’re calling authentication-in-the-middle is showing up in online media. Use a password manager. That’s a great thing.

Authentication

Authentication Phishing Password Management Scams

Snapchat Password Cracking Tools: A Guide to Staying Safe

Hacker's King

DECEMBER 25, 2024

Tools designed for password cracking often exploit weak security practices, but understanding these methods is vital for safeguarding your account. This guide explores Snapchat password-cracking tools while focusing on ethical ways to enhance security. Weak or simple passwords are particularly vulnerable.

Passwords

Passwords Social Engineering Accountability Scams

LW ROUNDTABLE: Predictive analytics, full-stack visualization to solidify cyber defenses in 2025

The Last Watchdog

DECEMBER 18, 2024

Shashanka Dr. Madhu Shashanka , Chief Data Scientist, Concentric AI Generative AI in 2025 will bring transformative opportunities but heightened cybersecurity risks, including data exposure, AI misuse, and novel threats like prompt injection attacks. Organizations face rising risks of AI-driven social engineering and personal device breaches.

Risk

Risk Threat Detection Technology Phishing

Third-Party Identities: The Weakest Link in Your Cybersecurity Supply Chain

Security Affairs

OCTOBER 28, 2024

A long supply chain adds third-party risks, as each partner’s security affects your own, making identity and access management more challenging. And therein lies the problem: Your enterprise could be at risk if their credentials are unsafe. So, what’s a bit of increased risk where usernames and passwords are concerned?

B2B

B2B Cybersecurity Risk Identity Theft

Hackers Steal Phone, SMS Records for Nearly All AT&T Customers

Krebs on Security

JULY 12, 2024

AT&T also acknowledged the customer records were exposed in a cloud database that was protected only by a username and password (no multi-factor authentication needed). c) of the SEC Rule, due to potential risks to national security and/or public safety. In a regulatory filing with the U.S. million former account holders.

Data breaches

Data breaches Passwords Authentication Accountability

On Risk-Based Authentication

Passwordless Authentication without Secrets!

Webinars

Trending Sources

A large botnet targets M365 accounts with password spraying attacks

Webinars

On world password day, Microsoft says fewer passwords, more passkeys

CASMM (The Consumer Authentication Strength Maturity Model)

Hunting SMB Shares, Again! Charts, Graphs, Passwords & LLM Magic for PowerHuntShares 2.0

Why World Password Day Is a Perfect Reminder to Up Your Security Game

10 Behaviors That Will Reduce Your Risk Online

Your Phone May Soon Replace Many of Your Passwords

GUEST ESSAY: How the FIDO Alliance helps drive the move to passwordless authentication

GUEST ESSAY: Until we eliminate passwords, follow these 4 sure steps to password hygiene

Passwords in the age of AI: We need to find alternatives

How Spread Betting Platforms Safeguard Traders Against Cyber Risks

Phishing evolves beyond email to become latest Android app threat

GUEST ESSAY: Understanding the security limits of the static and dynamic passwords we rely on

Turn on MFA Before Crooks Do It For You

Risk reduction redefined: How compromise assessment helps strengthen cyberdefenses

Predatory app downloaded 100,000 times from Google Play Store steals data, uses it for blackmail

Crooks bank on Microsoft’s search engine to phish customers

Video: How Hackers Steal Your Cookies & How to Stop Them

Strengthen your digital defenses on World Password Day

Warning: Hackers could take over your email account by stealing cookies, even if you have MFA

Internet Archive was breached twice in a month

When Security Locks You Out of Everything

Fake Booking.com phish uses fake CAPTCHAs to trick hotel staff into downloading malware

Employee monitoring app exposes users, leaks 21+ million screenshots

Warning over free online file converters that actually install malware

GUEST ESSAY: Best practices to shrink the ever-present risk of Exchange Server getting corrupted

Phishing-Resistant MFA: Why FIDO is Essential

City of Columbus breach affects around half a million citizens

FBI, Dutch Police Disrupt ‘Manipulaters’ Phishing Gang

How to Protect Your Gmail Password: Top Tips for Maximum Security

The DeepSeek controversy: Authorities ask where does the data come from and how safe is it?

Exposed HMIs: A Direct Pathway for Cyberattacks on Critical Infrastructure

Grubhub Suffers Data Breach in Third-Party Vendor Incident

‘RockYou2024’: Nearly 10 billion passwords leaked online

GUEST ESSAY: Why CISOs absolutely must take authentication secrets much more seriously

RockYou2024: The Largest Password Compilation (10 Billion) Ever Leaked

Seized Genesis Market Data is Now Searchable in Have I Been Pwned, Courtesy of the FBI and "Operation Cookie Monster"

Scammers can easily phish your multi-factor authentication codes. Here’s how to avoid it

Snapchat Password Cracking Tools: A Guide to Staying Safe

LW ROUNDTABLE: Predictive analytics, full-stack visualization to solidify cyber defenses in 2025

Third-Party Identities: The Weakest Link in Your Cybersecurity Supply Chain

Hackers Steal Phone, SMS Records for Nearly All AT&T Customers

Stay Connected