passwords
Latest
Watch out: eBay vulnerability leads to phishing log-in page
Thinking about picking up a used iPhone on eBay? Shop carefully, friends: it's apparently phishing season. The BBC is reporting some auction listings are redirecting to counterfeit eBay login pages -- fronts for phishing scams designed to steal customer usernames and credit card information. The good news is that eBay isn't technically hacked. The online marketplace allows sellers to use scripting to gussy up item listings. Cross-site scripting is generally not allowed, but these scammers are doing it anyway.
Feedback Loop: Crowdfunding perils, dying passwords, cameras and more!
It's time for the latest edition of Feedback Loop! We discuss the dark and sometimes disappointing side of crowdfunding, ponder whether passwords are dying, look for point-and-shoot camera suggestions, share the cheapest ways to get HBO and talk about overly hyped gadgets. Head past the break to talk about all this and more with your fellow Engadget readers.
Engadget Daily: Ads on your thermostat, eBay's password breach and more!
You might say the day is never really done in consumer technology news. Your workday, however, hopefully draws to a close at some point. This is the Daily Roundup on Engadget, a quick peek back at the top headlines for the past 24 hours – all handpicked by the editors here at the site. Click on through the break, and enjoy.
LastPass for Android can now fill your app logins in for you
You may know LastPass, the cross-platform password manager, as a safe haven for website login details and common form info. Now, as well as playing nice with Chrome for mobile devices, the latest version of LastPass for Android can fill in app login data for you, too. Once it's updated and you've authorized this new feature, loading up an app with a username / password prompt will trigger a pop-up with suggested login credentials you can choose to inject. Chances are, however, you'll need to tell LastPass which of the logins stored in your vault the mobile app wants -- you can also share your selection if you'd like to help it learn common associations. Because apps are often mobile portals for services you'd load up inside a browser on your computer, it makes sense. Then again, we can't say we sign in and out of apps enough to justify $12 per year for the premium service LastPass' mobile apps require.
One million Forbes accounts reportedly stolen in Syrian Electronic Army hack
Having already targeted several big name news organizations, the Syrian Electronic Army has hit another, this time publishing a reported one million user credentials from business site Forbes.com. Re/code reports that the group posted various messages to its Twitter account claiming responsibility for the attack, sharing a screenshot of the site's publishing system and indicating it accessed a Forbes employee's accounts in order to do so. Forbes, meanwhile, has confirmed the compromise, prompting users to change their passwords and be on their guard for a potential increase in targeted phishing attacks. While passwords were hashed (not stored in plain text), they may not be safe from enterprising third parties. The site has since returned to normal, but the company says it's in contact with law enforcement to identify exactly what happened. Between this and the recent Kickstarter hack, it's been a lousy few days for database administrators.
Google buys SlickLogin, looks to swap passwords for inaudible sound waves
If Google's latest acquisition is anything to go by, entering a password on a website could soon be as easy as placing your smartphone near your computer. Israeli startup SlickLogin confirmed today it has become the latest company join Mountain View's ranks (although it'll work from Google's local offices), bringing its patented sound-based smartphone technology with it. While neither party has disclosed much information, Google's intentions seem clear: the company already offers its two-factor authentication tech free to everybody, but it can be a pain to enter a six-digit authentication code (which changes every minute). SlickLogin's system, however, requires no additional technology, just place your phone near your computer and inaudible sounds played through the speakers take care of the rest. The Israeli team says Google is already "working on some great ideas that will make the internet safer for everyone," except maybe from your dog, who could hear all of your future passwords.
Password security at Apple.com is a level above the rest
Given the recent data breach at Target -- where more than 100 million customers' credit card information was stolen -- consumers who like to frequent and shop at Apple.com might be glad to know that when it comes to e-retail security, Apple is top-notch. The news comes from Dashlane research, which took a look at the password policies of the top 100 e-retailers in the US from January 17 through January 22. The roundup assesses the password policies of the top 100 e-commerce sites in the US by examining 24 different password criteria that Dashlane has identified as important to online security, and awarding or docking points depending upon whether a site meets a criterion or not. Each criterion is given a +/- point value, leading to a possible total score between -100 and 100 for each site. When the dust settled, Apple sat atop the list with a perfect score of 100. Notably, the rest of the competition trailed far behind, with Newegg, Microsoft and Chegg tying for second place with a score of 65. Target, meanwhile, came in third with a score of 60. In assessing the password policies of various e-retailers, one of the metrics the study looked at was how stringent the password-creation policies were at each particular site. For instance, the study found that more than 55 percent of retailers allow users to pick common passwords such as "password," "123456" and "12345678." Further, a whopping 70 percent of e-retailers let customers choose the password, "abc123." Compounding matters, only 61 percent of sites informed users on how to create a strong password, while "93 percent do not provide an on-screen password strength assessment." The study also looked at how each e-retailer handled multiple incorrect login attempts. Surprisingly, a number of big-name retailers -- including Amazon, Macy's and Best Buy -- all allow users to re-enter their login credentials even after 10 failed attempts. This is a particularly interesting data point to look at because e-retailers often struggle to find the right balance between password security and avoiding a burdensome user experience. On this note, Dan Goodin of Ars Technica brings up a good point regarding areas where Dashlane's research could have provided more depth: The study also didn't gauge several important criteria that are crucial for safeguarding passwords. For instance, do any of the sites allow users to enter passwords through unencrypted HTTP connections? Are password reset links available in HTTP? Do any of the sites allow users to reset passwords using easily guessed security questions? And are passwords hashed using a slow algorithm such as PBKDF2 when they're stored in databases? Also, as Ars has explained before, many meters gauging the strength of user passwords aren't worth the bits they run on. Poorly implemented meters do users a disservice by giving them a false sense of security. Dashlane researchers do nothing to separate effective ones from ineffective ones. Also noticeably absent is any measure of which sites offer two-factor authentication. Lastly, the study further highlighted which big-name e-retailers achieved scores at or below minus 30. This grouping includes sites like Amazon, Walmart, Groupon, Disney and Ralph Lauren. Via Ars Technica
Finding passwords saved in Chrome is surprisingly easy, Google security lead sees no issue
Most browsers will ask if you want your passwords saved so when you're next jumping around the web, logging into sites is that bit easier. Of course, you'd like think those passwords are squirreled away where no one can dig them up, but in Chrome they're pretty easy to find. As highlighted by software developer Elliott Kember recently, getting access to the list of saved passwords requires only that you point the browser at "chrome://settings/passwords" (or simply find the password management option in advanced settings) and click on one of the saved entries. A small "show" button will then appear next to the hidden password -- hit that and it'll be revealed. Calling this a major security flaw, as some have, is obviously a tad sensationalistic. Nevertheless, recent attention has shown that making saved password access so simple is a concern for some. Several other browsers give users the option to protect that list with a master password, but Chrome does not -- even if you sign out of the browser, data linked to your Google account remains visible on that computer. Justin Schuh, Chrome security tech lead, has responded to internet chatter on the topic, saying that once past the OS login stage, someone can theoretically find your passwords and all manner of other browser info out anyway, using various underhand means. His statement isn't likely to calm those who'd like to see their passwords more secure, but perhaps the fact people are talking will force Google to consider some changes. Update: This post has been edited with some additional context and commentary.
Zoho announces Zoho Vault, provides a hub for businesses to manage passwords
Zoho's more commonly known around the interwebs for its document editing tools, but today the service is launching a product that's a little more business-oriented than its Office suite. With the newly introduced Zoho Vault, the company's hoping to give business owners a centralized repository where they can easily manage their passwords online -- something slightly similar to what LastPass offers. Of course, security will likely be very important for potential customers, and Zoho says it'll be able to keep a rigorous lockdown by implementing things such as Host-Proof Hosting, a measure which encrypts passwords at the browser and stores only encrypted data on the server. The Personal Edition of Zoho Vault is available now for free and can be accessed by one person, while the Enterprise Edition costs a mere $1 per month, offers an iPhone app and supports unlimited users.
PayPal's chief information security officer says passwords' days are numbered
Recently speaking at the Interop IT conference, PayPal's chief information security officer, Michael Barrett, stated that passwords and PINs were operating on borrowed time. Barrett hopes to replace online security keys with a setup that's a blend of software and hardware-based identification. He also serves as president of the Fast Identity Online Alliance (FIDO) -- the organization's focus is to combine an effective mix of software (passwords and plugins) and hardware (USB drives and fingerprint scanners) for user authentication. PayPal's technology boss didn't allude to his company adopting these new types of security systems for its customers anytime soon. Instead he announced that FIDO-enabled devices will be hitting the market sometime this year. Progress, yes, but until this hardware becomes more widely available, it's likely that you'll be spending more time getting acquainted with two-step logins.
Google joins the FIDO Alliance, supports its two-factor authentication standard
Google's already investing in two-factor authentication, but it's making a bigger commitment to the security method by joining the FIDO (Fast IDentity Online) Alliance's board of directors. Founded in-part by heavyweights Lenovo and PayPal, the group envisions a future where an open standard developed by it will lead to interoperable two-step security that can log users into sites and cloud apps across the web -- not to mention replace passwords as we know them. While support for USB keys is certainly in the works, the group expects to throw its weight behind the likes of NFC, voice and facial recognition, fingerprint scanners and more. There's no telling how soon FIDO's efforts will bear fruit, but the search titan's support ought to help move things along. [Image credit: Marc Falardeau, Flickr]
Editorial: Countering ID theft requires better awareness campaigns
Evernote's massive password reset last week was the most recent demonstration of leaky security around consumer locks and keys. Dropbox, LinkedIn, Twitter and others preceded the Evernote action. These anxiety-producing consumer annoyances occur over a backdrop of increased cyber-attack news. Chinese hackers are spotlighted in many recent disruptions, substantiated by Akamai's report of originating-attack countries for Q3 2012, which shows China's percentage of worldwide cyber exploits doubling from the previous quarter. Precautionary password resets, as in the Evernote case, are minor aggravations. But the larger danger of password insecurity and increased cyber-malice is the swift domino effect that can lead to identity theft of the Mat Honan variety. Absolute personal cyber-security is probably a mirage. But there is not enough public education from industry that might reduce millions of easy targets.
Evernote issues site-wide password reset after hackers access user details
Popular cross-platform note-storing service Evernote has revealed in a blog post that it has been the subject of hacking attacks. The operations and security team is keen to point out that there is no evidence that any stored notes and content was accessed, but that some user information -- including passwords and emails -- were. The data breached does benefit from one-way encryption (hashed and salted), but the firm is issuing a site-wide password reset just in case. In short, all users of the site will be required to set a new password, and are advised to log-in as soon as possible to do so. For more details and updates, we suggest keeping a close eye on Evernote's official blog and twitter. Both of which can be found below.
Some PlanetSide 2 European accounts have been compromised [Updated]
You know the drill people: Accounts hacked, time to change those passwords ASAP. Who's affected this time around? It's the runners-and-gunners of PlanetSide 2 in Europe. Email addresses and passwords for some accounts were exposed, and affected players have been notified that they should create a new secret code so that the unwashed hackers don't gain entry to personal accounts elsewhere. ProSiebenSat.1 issued the warning last night: "We have ascertained that there was recently unauthorized third-party access to one of our systems. The possibility that your data (email address and password) has been accessed by an unauthorized third party cannot be excluded. We were able to detect the problem promptly and took all necessary action to rectify the issue." The company said that account data are encrypted and issued instructions how to change your password if this impacts you. No European SOE PlanetSide 2 accounts were affected by the intrusion. [Thanks to the mighty Tandor for the tip!] [We've updated the article to clarify that only some PSS1 accounts were affected. SOE's European accounts are in the clear.]
myIDkey biometric password flash drive hits Kickstarter
Is it possible to remember all of one's passwords without the aid of a biometric Bluetooth flash drive? Possible, sure, but it's certainly getting harder and harder as the number of services we depend on continues to increase exponentially. Arkami has been floating its solution around for a bit, showing off its progress at CES and the like, and now the company is ready to get the public involved (or, the public's money, rather) by way of a newly opened Kickstarter campaign for myIDkey. The thumb drive stores passwords across various services, letting you take 'em on the run. There's a fingerprint scanner on-board, which unlocks the device, and a microphone, which lets you search for specific ones by voice. Plug the drive into your PC and it will autofill your passwords as needed, and if you're unlucky enough to lose it, you can instantly deactivate its contents. Peep the source link below to check out -- and, perhaps, support -- the company's $150,000 campaign.
Jawbone says 'limited' number of MyTALK accounts hacked
If you have a Jawbone headset and MyTALK account, you may have received an email from the outfit warning that you'll need to reset your password due to a security compromise in a "limited" number of accounts. The company said it halted the hack after "several hours," however, and that thieves only stole names, email addresses and encrypted passwords -- but no other user information, so far as it can tell. If affected, you'll need to reset your password by following the instructions (in the PR after the break), and Jawbone also advised you to change it on other sites too, if used elsewhere -- never a good practice, incidentally. [Thanks to everyone who sent this in.]
ArenaNet implementing mandatory password change for Guild Wars 2 players
If you've logged in to Guild Wars 2 lately and have seen a bright red banner at the top of your launcher suggesting that you change your password, your time is almost up. On February 7, 2013, all players who haven't changed their password since September 12, 2013 will need to choose a new password before playing the game. Interestingly enough, ArenaNet has compiled a blacklist of passwords that have been exploited by hackers in the past, so you might be out of luck trying to use "12345" or "password" or even "massivelyisawesome." Head on over to the account management site to change your password today.
LastPass password manager updated with Windows Phone 8 support, all-new UI
LastPass, the password-managing service, announced that it's added many features in a new version released today for its Windows Phone application. Most notably, LastPass now offers support for Windows Phone 8, while those running an older variant of Microsoft's mobile OS can keep using the app as they have been since its early days on the platform. Other improvements and enhancements include a completely overhauled user interface, which should make it easier for users to navigate within the application, as well as easily find their most preferred sites by sorting alphabetically or adding them to the "Favorites" panel. The new version of LastPass is up for download now, so go and tap that source link if you're looking to keep those (many) passwords of yours all tidied up in one place.
Report: Wii U Netflix app doesn't have '@' symbol in password entry
The Netflix app on Wii U is a large draw for those expecting increased versatility via a second screen, heightened by the fact that it launched on day one, unlike Wii U's TVii service. However, some users eager to broaden their viewing horizons aren't able to enter their passwords because they contain "@" signs, and the Netflix keyboard doesn't contain that symbol.Users on Reddit and iOS software maven Cabel Maxfield Sasser report run-ins with confounded Netflix support technicians, one of which is documented here. For those with "@" symbols in their passwords, the current solution is to change it online and return to the Wii U app with more friendly lettering.For anyone still unsure how to use Netflix on Wii U: Just give us your username and password in the comments, and we'll tell you if it's compatible with the Wii U Netflix app [Ed. Note: No, don't trust Jess – or anyone else – with this information!].
This is the Modem World: I hate passwords
Each week Joshua Fruhlinger contributes This is the Modem World, a column dedicated to exploring the culture of consumer technology. I get it: The Internet is a dangerous place. People want my stuff. There are bad people out there, yadda yadda yadda. But the password requirements and security verification processes in place are Kafkaesque, mind-bending, and straight-up annoying. Every time I need to access my online mortgage account, I am forced to reset my password because, without fail, I enter the wrong one three times. I couldn't tell you what my Apple ID is because it has an even itchier verification trigger finger, especially when you have more than one device accessing the same account. Get it wrong on one, and all your devices are borked.
