password
Latest
Emoji passcodes promise more security than numbers
There's little doubt that PIN codes are lousy security measures. They're not only easy to crack (there are just 7,290 non-repeating four-digit combos), but hard to remember at first. Intelligent Environments thinks there's a better way: replace them with emoji. Its Android banking app asks you to pick from 44 familiar messaging icons for your passcode, which both expands the potential combinations (to nearly 3.5 million) and should be easier to recall than either numbers or words. The emoji should also eliminate the temptation to use readily available info -- "penguin police pumpkin lipstick" isn't as easy to deduce as your birthday.
Time to change your master password, LastPass was hacked
Password-management service LastPass announced today that it "discovered and blocked suspicious activity" on its network on Friday. While the company says that there is no evidence that user vault data (a user's stored passwords) was taken or that accounts were accessed, it did acknowledge that user email addresses, authentication hashes, password reminders and server per user salts were compromised. LastPass is confident that its encryption is strong enough to make attacking those stolen hashes with any speed difficult. But yeah, if you're a LastPass customer you should change your password. Even though LastPass recommends you change your password if you have a weak master password or use that password on multiple sites, you really should change your master password -- and switch on multifactor authentication -- just in case.
iOS flaw tricks you into giving up your iCloud password (updated)
Successful hack attacks often happen not because of tricky coding, but plain old "social engineering" -- ie, conning people. A Github researcher called "jansoucek" has discovered an iOS exploit that works on that principal to steal people's iCloud passwords. The latest version of iOS, 8.3, apparently fails to filter out potentially dangerous HTML code embedded in incoming emails. The researcher's proof-of-concept code takes advantage of that by calling up a remote HTML form that looks identical to the iCloud log-in window. It could easily trick someone into entering their iCloud username and password, then hide the dialog after the user clicks "OK."
Governments want to get rid of passwords, too
It's not just giant tech companies that want to put an end to passwords. Both the US' National Institute of Standards and Technology and the UK's Office of the Cabinet have become the first government bodies to join the FIDO Alliance, giving them a direct say in building more secure (and more universal) sign-in systems. Given how often governments depend on fingerprinting, smart cards and other physical identification methods, the move makes a lot of sense -- they want to encourage security measures that make it tougher for hackers to swipe sensitive data. It'll be a while before you see the influence of these new partners, but you may well be using government-grade ID to access your PC or phone in the future. [Image credit: Shutterstock/Pedro Miguel Sousa]
Facebook tests a new Security Checkup to keep your account safe
Over the last few years Facebook has made a number of tweaks to make it easier to protect your account from hackers, but that doesn't mean individual users are keeping up. Since there's no point to security features if people don't use them, and hacked accounts are annoying for everyone (why are they always selling sunglasses? Who wants cheap Oakleys that much?) it's testing a new Security Checkup feature. The idea is that it's a simple and straightforward walkthrough for some of the things everyone should keep an eye on in regards to their account -- update the password, double check connected apps and devices, activate login alerts -- and if the response is good, more people will see the prompt soon. If you (or your friend/relative with the account that's constantly pushing spam) aren't seeing it yet, a visit to the Privacy Basics page is another way to make sure things are locked down.
'Photofucket' devs arrested for selling their pic-stealing app
Years before stolen pictures of celebs hit the internet in a massive bundle, news that Reddit posters were searching for private photos popped up under the term "fusking." As detailed by Buzzfeed in August of 2012, Reddit channels were dedicated to using a security flaw in Photobucket.com to search for pictures posted in private folders. If anyone on the internet knew (or could guess) a private photo's direct URL it was visible, and guessing the default filename of digital photos isn't very difficult. Today the US Department of Justice is announcing the arrest of two men for selling "Photofucket" software that it says stole guest passwords for protected albums and sought out those private pictures.
Chrome add-on stops scammers from getting your Google password
No matter how diligent you are about watching for scam sites trying to swipe your password, there's always the chance that a very convincing page will trick you into handing over the goods. Thankfully, Google just gave you a safety net: its new Password Alert extension for Chrome will warn you if you've reused your Google password on another site. You can ignore the warning if you're not worried, but you'll also have an option of resetting your password right away if you realize that you've made a mistake. It's a small add-on, but it might save you in a moment of weakness... or at least, remind you to spice up your password choices now and then.
Yahoo hopes that you'll forget your password
Twitter isn't the only internet giant that wants to spare you from remembering passwords. Yahoo has just trotted out an optional login process that sends passwords on demand. Sign up and Yahoo will deliver a single-use password to your phone whenever you need to log in -- you can prevent someone from easily hijacking your account no matter what device you're on as long as your handset is nearby. This extra-secure option is only available in the US right now, but there's a good possibility that you'll see it in other countries before long.
Tweetdeck lets you share accounts without sharing passwords
Until now, if you wanted to share Twitter log-in credentials with members of your team, it meant sharing a password. Thanks to TweetDeck, you no longer have to use the same info. The 140-character social network now offers TweetDeck Teams for its popular app: a tool that allows groups to employ the same account with admin and contributor roles. When you need to add a colleague to the social workload, all you have to do is authorize that user, and once they accept the invite, they'll be good to go. As you might expect, access can be revoked at any time by the admin, and those folks have control over the password. Contributors can tweet, follow/unfollow, schedule tweets and make lists, but they won't have any access outside of the app. The new feature starts rolling out today for TweetDeck on the web, Chrome and Windows.
LastPass native app for Mac works just like the browser add-ons
if you're on Mac and still stuck using passwords you should never, ever use (come on, man, it's 2015 -- time to move on from "password" and "123456"), LastPass might be able to help you out. The password manager now has a native Mac app, though truthfully, it's not much different from its browser add-ons. It also stores log-ins and passwords, and it comes with a vault where you can organize and edit your info. But, it does have a handful of minor yet useful new features, like hot keys for quick search of log-in credentials/websites as well as the capability to analyze your passwords' strength in real time. Don't bother digging up your old LastPass installer for browsers, though: if you want this new Mac app, you'll have to get it from iTunes for free with ads. You can, however, pay $12 per year to get access to premium features, including offline access to your logins and multifactor authentication.
LastPass goes native on Mac for password management
LastPass has finally expanded from your browser and your iOS device onto your desktop with its new native app in the Mac App Store. The app brings all of the power of the mobile app to your computer, from password storage to form-filling and secure note sending. If you have already been using the LastPass browser plugins, the presence of a native, offline-capable Mac app provides some parity with the "big kahuna" password manager on the platform, the popular 1Password. By connecting with your LastPass account, the app allows you to seamlessly share data and passwords between all your computers and browsers; while iCloud Keychain does a fine job between OS X and iOS for Safari, it certainly won't play nicely with browsers like Chrome or Firefox, or Android and Windows devices. LastPass, by contrast, is enthusiastically cross-platform, with editions for Internet Explorer on Windows, browsers on Linux, the Opera browser and even the Blackberry. It's also popular with enterprise IT departments, where it's possible to administer the app centrally and enforce baseline security requirements. The Mac app for LastPass includes some special features, like a security challenge tool and a password generator to help you come up with a secure and obscure password (thereby avoiding the shame and general ridicule of seeing your password on a very special list). It allows you to add new passwords and sites to your account quickly and easily. Like the browser plugins, the Mac app syncs with the contents of your online password vault, so you can easily access your key security information wherever you are. The app doesn't charge you for installation, but for $11.99 per year the Premium subscription to LastPass includes unlimited mobile access (with offline caching), family folders for shared logins, and multifactor authentication options. Setting up a LastPass account is easy and free.
Is your password on this list of 2014's worst passwords?
No matter how many times digital security experts exhort the public to use strong passwords, there are a surprising number of people who use passwords that are very easy to guess. For some reason, these are usually the same people who are shocked when someone breaks into their computer system and steals credit card or banking information. Well SplashData has published their list of the worst passwords on the internet, compiled from more than 3 million leaked passwords from 2014. If your password is on this list, shame on you. Please consider using something like 1Password to create strong passwords and remember them for you. The envelope, please... The worst passwords of 2014 are: 123456 password 12345 12345678 qwerty 123456789 1234 baseball dragon football 1234567 monkey letmein abc123 111111 mustang access shadow master michael superman 696969 123123 batman trustno1
1Password log-ins are coming to third-party iOS apps
The popular log-in repository 1Password is about to get a lot more useful on iOS devices. AgileBits has revealed an extension for using the add-on in third-party iOS apps -- if the developer chooses to build in support. Thanks to the enhanced security measures taken by Apple's pending mobile OS update, the option can be included and doesn't require you to go elsewhere in order to sort your passwords in standalone apps. Of course, this is in addition to 1Password's own built-in browser that currently included and Touch ID is leveraged to access the secured vault of username credentials. 1Password for iOS is a $18 purchase, and we're not holding our breath for similar functionality to arrive on the Android version anytime soon (although on Android LastPass has a similar feature for logging into apps). While you wait for your favorite software to opt in, there's a handy demo in GIF after the break.
1Password for Windows now lets you manage accounts from your browser
AgileBits isn't done sprucing up 1Password just because it released a much-needed Android upgrade; it's also showing some love to the Windows version of its secure account manager. The just-launched 1Password 4 for Windows catches up on features in a big way, including the browser extension previously seen only on the Mac. You're now just a shortcut away from fetching credentials or generating an extra-complex password. The revamp also brings WiFi syncing, multiple vaults and a service that warns you when hackers compromise a site.
1Password for Android can now be your only account manager
For the longest time, AgileBits' 1Password for Android was just a pale shadow of its desktop and iOS counterparts. Besides the ancient interface, you couldn't add anything -- if you signed up for a service, you had to turn on another device just to put the new account behind 1Password's secure walls. As of today, though, the app has caught up. The redesigned 1Password 4 for Android has both a modern interface and true independence; you can add passwords, credit cards and other sensitive info without touching any other hardware. Data syncs like it does on other platforms (including to folders, if you dislike the cloud), and there's a built-in browser if you want to log in as quickly as possible.
Spotify alerts Android users to hack, new app now available (update)
It's not all good news over at Spotify HQ. The music streaming service says it's just investigated a security breach in which one unlucky user's account was hacked. Despite the apparently limited scale of the attack (at least compared to what happened to eBay last week), Spotify evidently considers the incident to be pretty serious: Over the next few days, it'll start asking users to re-enter their login details, and it'll also push out an update to folks who use the Android app -- a step that will additionally require any offline playlists to be re-downloaded. Meanwhile, if you're the person whose account is at the center of all this, then by now you should have received some special instructions all of your own. Update: The new app is available in Google Play, and it's really a new app. Upon updating their existing version, Android users will no longer be able to use Spotify (hold off on updating if you're not in range of a good connection) and are directed to a different listing in Google Play. You can find the new app here, and it will prompt you to uninstall the previous version once it's installed.
eBay asks all users to change their passwords following cyberattack
eBay has just posted a strange message up on the community homepage and press page of its daughter company, PayPal. The headline is a bit worrying, implying that eBay has possibly had some kind of security or maintenance problem, leading it to request all users to change their passwords. On the other hand, the body of the post (shown after the break) is empty except for the words "placeholder text," and nothing has yet been published on eBay's own site. We've contacted eBay's press office to find out what (if anything) is going down, but in the meantime it might be worth changing those passwords, just in case. Update: We haven't heard anything back, but PayPal's website people seem to be in the process of removing the password message. It's gone from the community page and is now only visible on the press site, so it's looking increasingly likely that it was posted in error. Update #2: Even if this morning's post was published early by accident, the underlying issue is genuine. eBay has just released an official statement confirming that it has been the victim of a hacker attack that "compromised a database containing encrypted passwords and other non-financial data." It does indeed recommend changing your password.
Your fingerprint unlocks LastPass on the Galaxy S5
On any other phone, you'd have to type in the master password to access all your other passwords stored on LastPass -- including the iPhone, where Touch ID gets you into your phone and iTunes account, but stops there. But on Samsung's Galaxy S5, all you need to do is swipe your finger across the home button, now that the password manager's Android app has been updated to work with the device's biometric scanner. To set that up, you'll first need to type in your credentials like everyone else, and then activate fingerprint authentication for future use. It'll be a lot faster to add or change entries with the feature in place, and in some ways, fingerprint authentication is more secure than using a complex master password. We just hope you have no bitter enemies that'll go as far as to make a fake finger to sabotage your digital life.
You might be able to unlock your next Chromebook with your smartphone
Can't remember your password? Someday, you might not have to. A new feature in Google's Chrome OS dev channel promises to instantly unlock a user's Chromebook whenever their phone is nearby. Unfortunately, the feature doesn't actually work. The verification tool, named Easy Unlock, offers only a brief description and an unfinished setup, which ends with in futile search to pair a device. The feature simply isn't ready, which is probably why it's disabled by default -- but it's certainly a novel idea.
What is Heartbleed, anyway?
If you're an IT professional, gadget blogger or token geek in your circle of friends, chances are, you've been hounded relentlessly over the past couple of days about "this Heartbleed thing." "Do I need to update my antivirus?" "Can I login to my bank account now?" "Google already fixed it, right?" We've heard them all, but the answers aren't all that clear or simple. In an attempt to take the pressure off -- it is the weekend after all -- we've put together a primer that should answer all of those questions and a few more. Next time someone asks you about that "Heartbleed thing," just shoot them in our direction.
