passwords
Latest
LastPass Families can manage passwords for a household of six
It's hard enough keeping track of your own passwords, let alone your family's. Unless you plan on outfitting your brood with biometric rings, your best bet is to sign up to a password managing tool. That way you can keep track of the logins your clan is racking up, and even reference them to create unique passwords in the future. Most popular services, such as 1Password, already offer family plans. And soon that small list will include LastPass too.
DOJ code-breaking project found unencrypted on the internet
Encryption is the key to our digital privacy. It keeps eavesdroppers from reading your private conversations and checking out which sites you're visiting. It's important enough that iOS and Android will encrypt your entire device just in case it falls into the wrong hands.
Lastpass addresses two major vulnerabilities found by users
Bad news, LastPass users: bug bounty hunters found two major security exploits with the password manager's browser extensions. Good news? Both of them have already been patched. In a quick update to the company blog, LastPass commented on a pair of separate, unrelated bugs that opened its browser extension to attacks exploitable by phishing.
Hacker hijacks @Deray by redirecting his Verizon phone number
While everyone freaks out over passwords to millions of Twitter accounts floating around, the hijacking of yet another high-profile account shows that hackers don't necessarily need your password. Activist and former mayoral candidate Deray Mckesson was the latest to have his account taken over, with an attacker deciding to claim Deray supports Donald Trump. According to Mckesson, this happened even though the hacker didn't have his password, and he had two-factor authentication turned on for his account. In this case, the hacker went a step further, by hijacking his phone number with the help of Verizon customer service.
Twitter locks 'millions' of accounts with exposed passwords
While Twitter maintains that its servers have not been hacked, the company now says it has "cross-checked" the account data noted by LeakedSource and is taking pre-emptive measures. Particularly notable in light of hacks that have recently affected accounts from Katy Perry to Mark Zuckerberg to the NFL, the social network said it has identified a number of accounts for extra protection. No matter where the information came from, whether via malware or shared passwords revealed in hacks of other services, any accounts with "direct password exposure" have been locked (similar to pre-emptive moves Netflix and others are using when they see account details floating around), and emails were sent to the owner prompting for a password reset.
Who hacked Facebook?
Late last week, a hacker named Orange Tsai wrote about how he hacked into Facebook under the aegis of its bug bounty program. A bug bounty is when a company pays hackers for vulnerabilities they find, providing the company with real-world threat testing outside the scope of its security team. But Tsai found much more than a bug. He discovered that another hacker had been in the company's systems for around eight months, grabbing employee usernames and passwords -- and probably more.
Too many people still use terrible passwords
The fifth annual SplashData chart of the internet's worst passwords is out, and it looks like people just can't learn the lesson. The firm has aggregated the passwords from around two million that were leaked in 2015, finding that basic, easy-to-guess terms are still in abundance. The most popular code behind which people store their valuables is "123456," with "password" sitting comfortably in second place. Places three and four are similarly guessable, with "12345678" and "qwerty" being the... look, guys, just no, please stop doing this.
Google's creepy plan to kill the password
In the grab bag of Google/Alphabet's big projects for 2016 is Project Abacus. It's basically the company's plot to kill the password in cold blood, by replacing it with smartphone user authentication via an uncrackable collection of biometric readings. Abacus would lock or unlock devices and apps based on a cumulative "trust score" -- as your phone continually monitors and recognizes your location patterns, voice and speech patterns, how you walk and type, and your face (among other things). Like many things Google, it sounds miraculous. Your phone will just know it's you. And infosec pundits who believe we're stuck in password-hell Groundhog Day because "regular" people won't do security if it's inconvenient, will rejoice.
Time Warner Cable: 320,000 customers may have been hacked
Time Warner Cable (TWC) may have a data breach on its hands. The cable outfit told Reuters that up to 320,000 customers' email passwords were potentially comprised, either through phishing or hacking of third-party companies that store TWC customer information. The FBI notified the company of the possible attack, saying that some of its customers' emails and account passwords "may have been compromised."
LastPass gets acquired by remote desktop service LogMeIn
The popular password manager LastPass will soon have a new home at LogMeIn, which runs a remote desktop management service, the companies announced today. But don't fret if you're an existing LastPass user: LogMeIn says it'll keep the service and brand alive, while also adding in technology from Meldium, another password service it recently acquired. The news comes amid a busy year for LastPass. Back in June, the company announced that it was hacked, and a few months ago it added free mobile password support. For the most part, the acquisition seems to be about making LogMeIn a more desirable choice for businesses who want to give employees a simple way to secure their many passwords, across a variety of online services.
LastPass is now free on mobile, but cross-device syncing costs extra
If you've been wanting to play around with LastPass on your mobile device without paying the $12 annual fee for premium support, today is your day: the password manager just added mobile to its free tier. What's the catch? You only get it on mobile. Starting today, LastPass users will get unlimited use of the password manager on desktops or smartphones or tablets -- but if you want to sync passwords between your devices, you'll have to pony up for a subscription.
ICYMI: Password via voice recognition, drone delivery & more
#fivemin-widget-blogsmith-image-271554{display:none;} .cke_show_borders #fivemin-widget-blogsmith-image-271554, #postcontentcontainer #fivemin-widget-blogsmith-image-271554{width:570px;display:block;} try{document.getElementById("fivemin-widget-blogsmith-image-271554").style.display="none";}catch(e){}Today on In Case You Missed It: Customers at the Netherlands ING Bank can now check their account balance by saying "my voice is my password." A delivery company named Workhorse is testing out a parcel delivery service with drones, from a base at the tops of delivery vans. And Microsoft researchers have outlined how to record content viewable with HoloLens and a very odd assortment of characters are ready to entertain you.
Medium ditches passwords for single-use email links
Passwords are, by many accounts, quickly going the way of the dodo. And while many sites now allow users to log in via social media, they're not always a viable option. That's why (as an alternative to logging in via Facebook or Twitter) blog-publishing platform Medium is trying a different tactic: getting rid of passwords entirely. Users will simply click a login button and check their email as Medium sends a single-use, time-limited password link to grant access. It's basically the same process used to reset a forgotten password, save that you won't have to set a new (equally-forgettable) login.
How do you convince friends and family to use password managers?
Some days it seems like hackers are leaking passwords out from every corner of the internet. Password security is something that a lot of us need to take more seriously and there are a number of tools aim to make it much easier. Hopefully, you're using something to generate unique passwords for the services you use. How do you convince your closest friends and family to do the same? Head over to the Engadget forums and share your stories.
Recommended Reading: The life of a professional dumpster diver
Recommended Reading highlights the best long-form writing on technology and more in print and on the web. Some weeks, you'll also find short reviews of books that we think are worth your time. We hope you enjoy the read. The Pro Dumpster Diver Who's Making Thousands Off America's Biggest Retailers Randall Sullivan, Wired Dumpster diving sounds pretty gross, right? Well, what if I told you there are thousands of dollars to be made rummaging through trash? That's exactly what Matt Malone is doing, and if he did it full-time, he claims he could rake in around $250,000 from his exploits.
Daily Roundup: Windows 10, weak passwords, SpaceX and more!
Microsoft will unveil Windows 10 to the masses tomorrow, giving us a closer look at what the folks in Redmond have been working on. Meanwhile, everyone on the internet is still using weak passwords like "123456" and Google decided to drop some serious money on SpaceX. Get all the details on these stories and more in today's daily roundup.
LastPass goes native on Mac for password management
LastPass has finally expanded from your browser and your iOS device onto your desktop with its new native app in the Mac App Store. The app brings all of the power of the mobile app to your computer, from password storage to form-filling and secure note sending. If you have already been using the LastPass browser plugins, the presence of a native, offline-capable Mac app provides some parity with the "big kahuna" password manager on the platform, the popular 1Password. By connecting with your LastPass account, the app allows you to seamlessly share data and passwords between all your computers and browsers; while iCloud Keychain does a fine job between OS X and iOS for Safari, it certainly won't play nicely with browsers like Chrome or Firefox, or Android and Windows devices. LastPass, by contrast, is enthusiastically cross-platform, with editions for Internet Explorer on Windows, browsers on Linux, the Opera browser and even the Blackberry. It's also popular with enterprise IT departments, where it's possible to administer the app centrally and enforce baseline security requirements. The Mac app for LastPass includes some special features, like a security challenge tool and a password generator to help you come up with a secure and obscure password (thereby avoiding the shame and general ridicule of seeing your password on a very special list). It allows you to add new passwords and sites to your account quickly and easily. Like the browser plugins, the Mac app syncs with the contents of your online password vault, so you can easily access your key security information wherever you are. The app doesn't charge you for installation, but for $11.99 per year the Premium subscription to LastPass includes unlimited mobile access (with offline caching), family folders for shared logins, and multifactor authentication options. Setting up a LastPass account is easy and free.
Please don't use these passwords. Sincerely, the internet
You may have protected your personal data with strong passwords, but when hackers seize control of other computers, the resulting "botnets" can cause plenty of collateral damage. The depressing part is that one of the biggest holes is the easiest to fix: terrible passwords. SplashData has just released its annual list of the worst ones (gleaned from hacked file dumps), and things haven't changed much over last year. The most common stolen password is still "123456," which edged out perennial groaner "password." Other top picks in the alphanumeric hall of shame are "12345678," "qwerty," "monkey" and new this year, "batman." According to security expert Mark Burnett, the top 25 (below) represent an eye-popping 2.2 percent of all passwords exposed.
Twitter trades passwords for phone numbers with Digits
At its mobile developer conference in San Francisco, Twitter just announced Digits, a brand-new way to log in to apps with just your phone number. Instead of going through the tedious process of signing up with an email and password or using one of many different social logins, all you need is to enter in your number. When you do, you'll get a confirmation code via SMS. Enter that in as well, and away you go; no need to remember passwords or go through CAPTCHAs. Digits is not based on Twitter at all; it's actually an entirely new product that developers can incorporate into their apps, be they Twitter-related or not. It's a key part of Fabric, Twitter's new mobile development kit that it's rolling out today. Digits is available for iOS, Android and the web, and it's available in 216 countries in 28 languages right now. Aside from Digits, Fabric includes several other tools that Twitter hopes developers will incorporate into their existing apps, such as Crashlytics, the crash-reporting tool that the company bought last year, and MoPub, its advertising platform. There's also something called TwitterKit, which finally brings system-level Twitter sign-on to Android, a service that's been on iOS for a while now. This means that you only need to sign on to Twitter once on an Android phone, and you'll be able to easily access all apps that require a Twitter login. Especially of note is that developers can now not only embed tweets in their apps, but also add the ability to compose and post tweets inside of them without having to launch the dedicated Twitter app.
Apple enables unique passwords for apps that tap into iCloud
Do you use third-party apps like Outlook that access Apple's iCloud but don't support two-factor authentication? You'll now be forced to enter a specific password for each one. Following a notorious celebrity hack, Apple updated iCloud with an extra security layer used to protect accounts by sending a four-digit code to your personal device. However, many third-party calendar, contact and email apps that access iCloud don't support two-factor, and could therefore expose your iCloud password -- and all your personal data -- to hackers. Apple said that if you're signed in to one of those apps when the change goes through today, you'll be signed out and forced to generate and enter a new password. To see how, check after the break or click here for more.
