passwords
Latest
Researchers easily breached voting machines for the 2020 election
The voting machines that the US will use in the 2020 election are still vulnerable to hacks. A group of ethical hackers tested a bunch of those voting machines and election systems (most of which they bought on eBay). They were able to crack into every machine, The Washington Post reports. Their tests took place this summer at a Def Con cybersecurity conference, but the group visited Washington to share their findings yesterday.
DoorDash security breach affects nearly 5 million users
DoorDash announced today that it suffered a security breach that affected 4.9 million users. According to the company, on May 4th, 2019, an unauthorized third-party gained access to information belonging to DoorDash users including consumers, delivery drivers and merchants who joined the platfrom on or before April 5th, 2018. The information accessed included names, email addresses, physical addresses used for deliveries, order histories, phone numbers and passwords, which were encrypted using hashing and salting techniques. The company is advising users to reset their passwords, though it is not believed that any passwords have been compromised.
Windows 10 preview tests password-free sign-ins
Microsoft is taking its disdain for passwords to a new level. It just released a Windows 10 preview for Fast ring Insiders that gives you the option to make all accounts on a particular device "passwordless" when logging into the operating system. Flick a switch in settings (under Accounts -> Sign-in options) and a password won't work at all. You'll have to use Windows Hello face recognition, fingerprint detection, a PIN code or a physical security key to unlock your system. If you don't already have Hello enabled, Microsoft will walk you though it the next time you sign in.
Google stored some business passwords as plain text
Facebook isn't the only big tech company found to be storing passwords in plain text. Google has warned G Suite users that an "error" in a password recovery implementation left some of their passwords unhashed on its internal systems since 2005 until that method was discontinued. Other plain passwords had been temporarily stored since January 2019, Google said. All those systems were encrypted, and there was "no evidence" that someone had misused the info, but it still raised the possibility that an intruder could have direct access to logins if they cracked the encryption.
New York AG is investigating Facebook over email contact scraping
The New York attorney general's office will investigate Facebook's "unauthorized collection of 1.5M of their users' email contact databases." Earlier this month, it emerged the company had been scraping the contact lists of some users who joined the service after 2016.
Facebook stored millions of Instagram passwords in plain text
Last month, news broke that Facebook employees had access to up to 600 million user passwords, which had been stored in plain text. Today, the company revealed that millions of Instagram passwords were also stored in a readable format. An internal investigation determined the stored passwords were not internally abused or improperly accessed, but this adds to the growing list of privacy issues the company seems to be racking up.
Facebook stops asking new users for email passwords
Facebook has halted a sketchy practice of asking some new users for their outside email credentials in order to verify their accounts. After a Twitter user on Sunday shared a screenshot of Facebook asking them for the password to their email, the social media giant faced intense criticism from security professionals. A spokesman for Facebook told The Daily Beast that it would no longer engage in this practice.
Firefox Lockbox provides access to your passwords on Android
Mozilla's Firefox Lockbox has been helping iOS users keep tabs on their many passwords for a while, and now it's making that tool available on Android. Like its iOS counterpart, the app helps you fetch any password you already have stored in Firefox (and thus synced across your devices). It's not a traditional manager, then -- this is more for ensuring that you can sign into a streaming service on a friend's TV.
Over 20,000 Facebook employees had access to 600 million user passwords
It's a day of the week ending in the letter "y," so it should come as little surprise there's news of another Facebook privacy transgression. The company says it found in January that some user passwords were stored in plain text on its servers. Facebook's systems are supposed to mask passwords, and it has since fixed the issue.
Man arrested for selling Netflix and Spotify accounts
The Australian Federal Police (AFP) announced today that they arrested a man accused of selling stolen login credentials online. The unnamed man, a 21-year-old living in Sydney, Australia, operated a website called WickedGen.com that advertised having almost one million usernames and passwords for Netflix, Spotify, Hulu and other services. Police believe he generated AU$300,000 (about $211,000) selling the stolen logins.
Researcher finds macOS bug but won’t share details with Apple
A researcher has discovered an exploit that can expose passwords on macOS, but says he won't share details of the bug with Apple because of its bug bounty policies. Linus Henze posted a demo video of the KeySteal exploit this week. It seems to grab passwords from login and system keychains without requiring administrator privileges, with a simple click of a button. It works on the latest version of macOS Mojave, though it doesn't seem to affect items stored in iCloud's keychain.
Chrome can tell you if your passwords have been compromised
Given the frequency of hacks and data leaks these days, chances are good that at least one of your passwords has been released to the wild. A new Chrome extension released by Google today makes it a little easier to stay on top of that: Once installed, Password Checkup will simply sit in your Chrome browser and alert you if you enter a username / password combination that Google "knows to be unsafe." The company says it has a database of 4 billion credentials that have been compromised in various data breaches that it can check against.
Collection 1 data breach covers more than 772 million email addresses
If you're signed up for one of the many services that alerts you to data breaches when they're discovered (if you're not, you probably should be) then you likely have an email waiting for you. Troy Hunt runs Have I Been Pwned where he makes it his business to dig up these files as they're being passed around by hackers, and has alerted the world to "Collection #1," which claims to combine usernames and passwords from thousands of databases.
So, you got an IoT device for the holidays
IoT devices are at once a grotesquerie for the security- and privacy-conscious, and a delicious, convenient poison. And chances are pretty good you got one as a holiday gift. You might say we're in the heyday of IoT — though a significant number of infosec professionals might be more inclined to call it the apex of the Internet of Shit. They have a point. Even just a glance at recent headlines is enough to convince anyone that the so-called smartness of these products is a bit lacking.
1Password no longer automatically submits passwords on Macs
Updates to 1Password mean that while you can run the application in dark mode to match your MacOS Mojave's nighttime setting the password manager will no longer automatically submit previously filled passwords. In 1Password 7.2, you will have to press the enter key to submit your passwords in Safari, which is an improvement to the tool's security.
YubiKey 5’s FIDO2 support will help you ditch passwords entirely
If you're looking to ditch passwords altogether, then Yubico has some good news for you. The company touts its new YubiKey 5 series as the first to support FIDO2, a standard that allows you to lose passwords entirely. It's been recently supported by Chrome, Firefox and Microsoft Edge.
US carriers create single sign-on service that could end passwords
AT&T, Sprint, T-Mobile and Verizon have teamed up to create a single sign-on service that could mean you won't have to use a password manager or remember your (hopefully strong) login credentials for every app on your phone. The carriers say Project Verify can authenticate your logins by confirming your identity using factors like your phone number, SIM card information, the type of phone account you have, IP address and how long you've had your plan.
Firefox takes a big step towards eliminating passwords
Today, Mozilla released Firefox 60 for Windows, Mac, Linux and Android, and with it arrives Web Authentication API for desktop browsers. This is a new security standard that allows Firefox users to log into all their online accounts with a single device, such as YubiKey. It doesn't mean that you don't have to use passwords anymore; only websites that recognize Web Authentication will work. But it's a huge first step to eliminating passwords altogether.
Disqus reveals it suffered a security breach in 2012
Another day, another security breach (and another, and another...). This time it's Disqus, which is revealing that in 2012 -- around the time when Engadget used Disqus for comments -- hackers made off with some of its data, covering a snapshot of usernames and associated email addresses dating back to 2007, as well as "sign-up dates, and last login dates in plain text for 17.5mm [sic] users." More distressing is news that it also coughed up passwords for a third of those accounts, which were in hashed (SHA1) form but it's possible the attackers could have decrypted them.
The man who put us through password hell regrets everything
If you rue the inevitable day when IT makes you change your password, you're not alone. It is incredibly frustrating to constantly think of new passwords with a capital letter, a special character and numbers that isn't a variation on your old password. And it turns out that we're pretty bad at it, which is why the man responsible for the password hell we've been in this past decade has recanted his recommendations.
