Articles about passwords

Silhouette of spy discerning password from code uses a command on graphic user interface

Boffins bypass password protection with pilfering by phony programs

Password managers on mobile devices can be tricked by imposter apps into handing over a user's passwords. This according to a paper [PDF] from researchers with the University of Genoa and EURECOM, who found that the Android Instant Apps feature is designed and can ask for, and receive, stored credentials from password managers …
Shaun Nichols, 26 Sep 2018
Password

No, eight characters, some capital letters and numbers is not a good password policy

Internal cybersecurity audits rarely make it to the public domain, but when they do it’s often an eye-popping read. Take the Western Australian (WA) Auditor General’s 2017 recent report on the state of user account security in an Aussie state which tends a mammoth 234,000 Active Directory (AD) accounts across 17 state agencies …
John E Dunn, 28 Aug 2018

'Surprise!' West Oz gummint is hopeless at information security

Western Australia's auditor general is blinking in disbelief, after an audit of the state's password practices turned up just how many people use bad passwords. Yes, friends, password123 and abcd1234 remain popular among government employees, and the agencies covered by the audit don't block them. Yesterday, the office tabled …
Someone whispering a secret to another

Putting the ass in Atlassian: Helpdesk email server passwords blabbed to strangers

Exclusive Atlassian has warned users of its Jira Service Desk toolkit to change their helpdesk email account passwords – after a glitch caused the credentials to be sent to strangers' servers. Customers were today sent an advisory, seen by The Register, from Atlassian explaining that, due to a long-standing bug in its IT helpdesk …
Shaun Nichols, 2 Aug 2018
A coffee cup and hand writing in notebook

Leatherbound analogue password manager: For the hipster who doesn't mind losing everything

News reaches us that will leave password management outfits quaking in their boots. The Conran Shop has a solution for forgetful users, and it is a snip at a mere £22. Users need to remember a bewildering array of passwords just to get through an average day, which can lead to some pretty shoddy practices as revealed in the …
Richard Speed, 9 Jul 2018

Infosec bod wagers web bookie BetVictor is lax on password protection

Updated Gambling site BetVictor has been caught leaving what appears to be the administrator credentials for its website out on the public internet. Security researcher Chris Hogben today said the Gibraltar-based betting site had left help articles online that included usernames and passwords for its internal systems. His secret for …
Shaun Nichols, 27 Jun 2018
Dirty men's underwear

Israel cyber chief's 'pants' analogy for password security deemed, well, 'pants'

Israel's newly appointed cyber chief has raised eyebrows by offering questionable password advice during a high-profile presentation. Yigal Unna, Director General, Israel National Cyber Directorate, joked that passwords should be treated like underpants: changed often and never shared. His point was contained in a slide …
John Leyden, 26 Jun 2018

Password re-use is dangerous, right? So what about stopping it with password-sharing?

Two comp-sci boffins have proposed that websites cooperate to block password re-use, even though they predict the idea will generate "contempt” among many end users, . Their expectation is founded on experience: Troy Hunt's HaveIBeenPwned is useful because so many people reuse passwords, and it currently claims to record more …
listening

It's World (Terrible) Password (Advice) Day!

It's World Password Day! And you know what that means: all the effort you've put into trying to persuade people to rethink how they do passwords turns to mush because some company sees a PR opportunity and floods social media with terrible advice. This year's award for Terrible Password Advice goes to the wireless industry's …

Twitter: No big deal, but everyone needs to change their password

Twitter is ringing in World Password Day by notifying its users, all 330 million of them, that their login credentials were left unencrypted in an internal log file and should be changed. Chief technology officer Parag Agrawal broke the news on Wednesday that its internal team had found that, while passwords are usually stored …
Shaun Nichols, 3 May 2018
router

Hyperoptic's ZTE-made 1Gbps routers had hyper-hardcoded hyper-root hyper-password

A security vulnerability has been found in Brit broadband biz Hyperoptic's home routers that exposes tens of thousands of its subscribers to hackers. The gigabit provider's routers are made by ZTE, the Chinese electronics giant that American and British spy agencies have sounded an alarm over. The United States has also …
Kat Hall, 26 Apr 2018
bank

Critical infrastructure needs more 21qs6Q#S$, less P@ssw0rd, UK.gov security committee told

Banks could plug their security vulnerabilities by simply improving password protections, the deputy CEO of the Prudential Regulation Authority has told the House of Lords in England. Asked by the Joint Committee for the National Security Strategy what kept him awake at night, Lyndon Nelson named shared infrastructure and …
Kat Hall, 24 Apr 2018

Hop to it, bunnies: TaskRabbit breach means new passwords

IKEA's TaskRabbit app and Website, which links buyers with people skilled with Allen key experts and other errand-runners, remain offline a day after the company announced a data breach. Ominously, the operation's announcement (currently in place of its home page) advises users that if they re-use their username or password on …
Password

Android apps prove a goldmine for dodgy password practices

Bsides SF An analysis of free Android apps has shown that developers are leaving their crypto keys embedded in applications, in some cases because the software developer kits install them by default. Will Dormann, software vulnerability analyst at the CERT Coordination Center (CERT/CC), told the BSides conference in San Francisco that …
Iain Thomson, 16 Apr 2018

What most people think it looks like when you change router's admin password, apparently

The vast majority of punters are potentially leaving themselves exposed to miscreants by failing to change the password and security setting on their routers - according to a survey. Some 82 per cent said they had never changed their administrator password, a poll of 2,205 people by Brit comparison website Broadband Genie …
Kat Hall, 12 Apr 2018
passcode

No password? No worries! Two new standards aim to make logins an API experience

A pair of authentication standards published this week have received endorsement from Mozilla, Microsoft and Google: the WebAuthn API, and the FIDO Alliance's Client-to-Authenticator Protocol. The aim of WebAuthn and CTAP is to offer an authentication primitive that doesn't rely on server-stored passwords, since a user's …
man peers at mobile/cell with bewildered expression

T-Mobile Austria stores passwords as plain text, Outlook gets message crypto, and more

Roundup While Facebook caught most of the security-related flak this week, there were other infosec stories out there. Here's a summary of stuff happening, beyond what we've already covered. Don't get pwned. Word. Dude Microsoft, which used to be a byword for insecure software until Bill Gates' trustworthy computing memo that turned …
Iain Thomson, 7 Apr 2018
still of Ian McKellan as magneto in the x-men movie

Badmins: Magento shops brute-forced to scrape card deets and install cryptominers

Hackers have compromised hundreds of e-commerce sites running the popular open-source Magento platform to scrape credit card numbers and install crypto-mining malware. The Magento sites are being compromised through brute-force attacks using common and known default Magento credentials, threat intel firm Flashpoint has warned …
John Leyden, 3 Apr 2018

Create a news alert about passwords, or find more stories about passwords.

Biting the hand that feeds IT © 1998–2018