password
Latest
Microsoft Edge now supports passwordless sign-ins
Edge users will soon be able to securely sign into websites without having to remember their passwords. Microsoft has today announced support for the Web Authentication specification in the browser, which will let you log on using Windows Hello hardware (so that's IR cameras and fingerprint readers), as well as PINs or external FIDO2 security keys, like the one launched by Google last week.
Frontier Communications' password bug lets anyone into your account
While you might feel more at ease knowing your personal information is protected by two-factor authentication, a bug in Frontier's password reset system is demonstrating that vulnerabilities can open your info up to exposure even when that extra level of protection is available. The internet giant's password system sends users a two-factor code when they initiate a reset, but ZDNet reports that the system lets you enter as many codes as you want, opening up users' accounts to a breach. Spotted by security researcher Ryan Stevenson, the bug means a determined attacker with some time on their hands could get into an account with just a username or an email address.
Twitter warns all users to change passwords following internal bug
Twitter announced today that a bug allowed users' passwords to be stored internally without being masked. When things are working correctly, Twitter stores hashed passwords, turning them into random letters and numbers so that no one at the company can see what any user's password is. But a bug caused passwords to be stored within an internal log before the hashing process was complete. Twitter says that it spotted the problem itself and fixed it. But while it claims there has been no evidence that the passwords were misused or that they left the company's systems, Twitter is recommending that everyone change their passwords just to be safe.
TaskRabbit returns following data breach it can't account for
Handyman-for-hire app TaskRabbit was the target of a data breach on Monday, resulting in both the app and website being taken offline while the company investigated the apparently intentional attack. Both are now back up and running, although the company has not said how the breach occurred or what information had been compromised.
Windows 10 update will support more password-free logins
It's not just web browsers that are moving beyond passwords. Microsoft has revealed that Windows 10's next update will support the new FIDO 2.0 standard, promising password-free logins on any Windows 10 device managed by your company or office. You could previously use Windows Hello to avoid typing in a password, of course, but this promises to be more extensive -- you could use a USB security key to sign into your Azure Active Directory.
Web standard brings password-free sign-ins to virtually any site
Tech companies have been trying to do away with web passwords for years, but now it looks like they've reached a key milestone. The FIDO Alliance and W3C have launched a Web Authentication standard that makes it easier to offer truly unique encryption credentials for each site. That, in turn, lets you access virtually any online service in a PC browser through password-free FIDO Authentication, not just specific services. You can continue to use familiar methods like fingerprint readers, cameras and USB keys, and it can serve both in place of and in addition to passwords.
Google is making it easier to download all your Chrome passwords
Chrome users will soon be able to export their saved passwords in a text file in just a couple of easy steps. It's never been an impossible task to do this, but it's been a more convoluted exercise than the long-awaited solution Google is planning. The news, revealed by Chrome evangelist Francois Beaufort on Google+, doesn't stipulate a timeframe for the feature, which is currently being tested by developers. But if you want to try it out now, switch to dev mode, search for "passwords" in Chrome settings, look for the three dot menu named "saved passwords" and click "export passwords". Everything saved in Chrome will be exported into a text (.csv) file which can then be imported easily into other password managers.
1Password now lets you see if your password has been leaked
If you have a 1Password membership, you can now check to see if your passwords have been compromised by data breaches and leaked on the internet. It's just a proof of concept feature for now, but 1Password says that in future releases, it will be added to Watchtower within 1Password apps. The feature is an integration of Troy Hunt's Pwned Passwords service that includes over 500 million leaked passwords.
LastPass rolls out Android Oreo autofill to the public
No need to sign up for LastPass beta anymore if Android Oreo has already made it to your device. The password manager has started rolling out autofill to the stable app for Google's latest mobile platform, according to the company's director of engineering, Anatoly Ivasyuk. If you've already been testing for LastPass, though, take note that you won't be able to uninstall the beta version of the app yet.
How security became more important than convenience
Since the dawn of infosec, the belief that we users are a group of dullard cattle who blindly trade our own security for convenience at every turn has been trumpeted by the stewards of IT and the infosec-arrogant, while bolstered by old research. Not anymore, says a new in-depth study from IBM on consumers' relationships with biometrics, authentication and the future of identity. If they have a choice, consumers now prefer taking extra security steps over using "123456" as a password.
Hawaii governor couldn't log in to Twitter after false missile alert
For most of us, forgetting a password means spending five minutes messing around with authentication emails and reset links. It's annoying, but it's not the end of the world. It was a different story for Hawaii governor David Ige earlier this month, though. After an employee at the state's Emergency Management Agency accidentally sent out a mass text warning of a "BALLISTIC MISSILE THREAT", it took Ige 17 minutes to send out a reassuring tweet -- because he couldn't log in to Twitter.
Paul Manafort's password inspiration: Bond. James Bond.
Apparently, being involved in high-level political intrigue doesn't guarantee that you'll be any good at password management. Security researchers speaking to Motherboard have discovered that former Trump campaign manager and international lobbyist Paul Manafort used uncannily appropriate password variations for his old (2012-2013) Adobe and Dropbox accounts: Bond007. Yes, you read that correctly -- as Christina Wilkie notes, this was a secret foreign agent signing in as another secret foreign agent. Cheekiness aside, the James Bond nod underscores the tendency toward terrible password habits and how they can have very real consequences.
The man who put us through password hell regrets everything
If you rue the inevitable day when IT makes you change your password, you're not alone. It is incredibly frustrating to constantly think of new passwords with a capital letter, a special character and numbers that isn't a variation on your old password. And it turns out that we're pretty bad at it, which is why the man responsible for the password hell we've been in this past decade has recanted his recommendations.
Need a new password? Don't choose one of these 306 million
Troy Hunt, the security expert behind Have I Been Pwned (HIBP), has released 306 million previously-pwned passwords in a bid to help individuals and companies ramp up their online security. The passwords have been mined from dozens of data breaches, and now anyone can download them for free. HIBP lets someone see if their email address has appeared in a breach, but doesn't reveal the associated password for that particular compromised service. Now, Hunt -- who has written extensively on password protection -- has flipped the model on its head, making passwords searchable without the associated email address or username.
Google will nudge SMS two-factor users to try its way instead
Google rolled out a new look and feel for two-factor authentication earlier this year, and soon it will encourage people still using the text message-based system to try it out. Google Prompt pops up a notification on authorized mobile devices with information about a login attempt, including what device it's coming from.
Man gets 180 days in jail for not handing over his iPhone PIN
US courts are still torn about how to handle defendants who refuse to give up passcodes for encrypted smartphones, judging by two recent court cases reported in the Miami Herald. In one, child abuse defendant Christopher Wheeler got six months in jail for failing to provide a correct code, despite pleas to the judge that he couldn't remember it. In a different court, a judge let off Wesley Victor (accused of extortion), even though he also claimed to have forgotten his iPhone code.
LastPass will store two-factor codes alongside your passwords
Keeping track of a list of secure passwords across your myriad accounts and services is a nightmare, but it's necessary for the future we live in. LastPass, the password management app, wants to make it a little more convenient on mobile. With the latest update to its authenticator application, two-factor authentication codes will now be stored in your password locker along with everything else.
Crafty prisoners hid DIY computers, committed identity theft
In what sounds like a plot line from Orange is the New Black, a pair of Ohio prison inmates took decommissioned computers, used them for nefarious purposes and hid them from guards by stashing the machines in a ceiling. According to regional news site Cleveland the two inmates, Adam Johnston and Scott Spriggs, pilfered computers that were supposed to be torn down and recycled and instead used them to connect to Ohio's Department of Rehabilitation and Correction network. They then created access cards for restricted areas.
Critical security flaws found in LastPass on Chrome, Firefox (updated)
Last year Google Project Zero researcher Tavis Ormandy quickly found some "obvious" security problems in the popular password manager LastPass, and now he's done it again. Last week Ormandy mentioned finding an exploit in one version of its extension for Firefox, before following that up with a new bug that affected both Chrome and Firefox, and finally a third vulnerability that could allow "stealing passwords for any domain."
The best password managers
By Joe Kissell This post was done in partnership with The Wirecutter, a buyer's guide to the best technology. When readers choose to buy The Wirecutter's independently chosen editorial picks, it may earn affiliate commissions that support its work. Read the full article here. If you're not using a password manager, start now. As we wrote in Password Managers Are for Everyone—Including You, a password manager makes you less vulnerable online by generating strong random passwords, syncing them securely across your browsers and devices so they're easily accessible everywhere, and filling them in automatically when needed. After 15 hours of research and testing, we believe that LastPass is the best password manager for most people. It has all the essential features plus some handy extras, it works with virtually any browser on any device, and most of its features are free.
