Search the Community

Despite security experts constantly warning about the risks of reusing passwords, a shockingly high number of people still do just that - and to make matters worse, many are even writing them down on pieces of paper that can easily fall into the wrong hands. A new report from password management firm Bitwarden surveying 2,400 individuals from the US, UK, Australia, France, Germany, and Japan, ahead of World Password Day (May 2), on their password practices found a quarter admitted to reusing passwords across 11-20+ accounts. What’s more, a third (36%) put personal information in their passwords, information that can easily be obtained on social media (60%) and online forums (30%) (think birth dates, names of spouses, etc.). Also, 54% try to memorize all of their passwords, while a third (33%) write it down on a piece of paper they keep at home. Roughly half (48%) reuse passwords across workplace platforms or accounts “frequently, or rather frequently”. 2FA on the rise Many (19%) have experienced data loss, or another security breach, as a consequence of their poor password hygiene, the report further uncovered. A quarter (23%) confirmed having their passwords stolen, or otherwise compromised, in the past. At the same time, the majority is confident in their password practices. Almost two-thirds (60%) feel they would be able to identify a phishing attack, and 68% feel prepared to identify and mitigate AI-enhanced cyberattacks. Passwords for private accounts fare no better, either, Bitwarden found. The good news is that awareness about the importance of strong passwords is rising. Half (51%) of global respondents adopted a password manager at home, and are growing more security-conscious at work, as well. Another 45% said they now reuse passwords “less frequently”. Finally, 80% of global respondents now use more two-factor authentication (2FA) for personal accounts, and 66% use it for workplace accounts. More from TechRadar Pro Many firms still aren't using good passwords or authentication - and they're paying the priceHere's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article

There are widespread reports of Apple users being locked out of their Apple ID overnight for no apparent reason, requiring a password reset before they can log in again. Users say the sudden inexplicable Apple ID sign-out is occurring across multiple devices. When they attempt to sign in again they are locked out of their account and asked to reset their password in order to regain access. This has led to additional Apple ID issues for users with Stolen Device Protection enabled who are away from a trusted location, as well as any app-specific passwords previously set up in iCloud also being reset. As noted by 9to5Mac, user reports about the problem began appearing on social media at around 8 p.m. Eastern Time and became increasingly prevalent into the early hours of the morning. MacRumors staff members have also been affected by the service outage, which does not appear to have been picked up by Apple's own System Status webpage. We have contacted Apple for comment and will update readers if we hear back. Have you been affected by the Apple ID issue? Let us know in the comments.Tag: Apple ID This article, "Apple ID Accounts Logging Out Users and Requiring Password Reset" first appeared on MacRumors.com Discuss this article in our forums View the full article

Today, AWS AppFabric announces support for 1Password. Starting now, IT administrators and security analysts can use AppFabric to quickly integrate with 26 supported SaaS applications, aggregate enriched and normalized SaaS audit logs, and audit end-user access across their SaaS apps. View the full article

(Image credit: Shutterstock) If you’ve been using Google Chrome for the past few years, you may have noticed that whenever you’ve had to think up a new password, or change your existing one, for a site or app, a little “Suggest strong password” dialog box would pop up - and it looks like it could soon offer AI-powered password suggestions. A keen-eyed software development observer has spotted that Google might be gearing up to infuse this feature with the capabilities of Gemini, its latest large language model (LLM). The discovery was made by @Leopeva64 on X. They found references to Gemini in patches of Gerrit, a web-based code review system developed by Google and used in the development of Google products like Android. These findings appear to be backed up by screenshots that show glimpses of how Gemini could be incorporated into Chrome to give you even better password suggestions when you’re looking to create a new password or change from one you’ve previously set. Gemini guesswork One line of code that caught my attention is that “deleting all passwords will turn this feature off.” I wonder if this does what it says on the tin: shutting the feature off if a user deletes all of their passwords, or if this just means all of the passwords generated by the “Suggest strong passwords” feature. The final screenshot that @Leopeva64 provides is also intriguing as it seems to show the prompt that Google engineers have included to get Gemini to generate a suitable password. This is a really interesting move by Google and it could play out well for Chrome users who use the strong password suggestion feature. I’m a little wary of the potential risks associated with this method of password generation, similar to risks you find with many such methods. LLMs are susceptible to information leaks caused by prompt or injection hacks. These hacks are designed to trick the AI models to give out information that their creators, individuals, or organizations might want to keep private, like someone’s login information. (Image credit: Shutterstock/Gorodenkoff) An important security consideration Now, that sounds scary and as far as we know, this hasn’t happened yet with any widely-deployed LLM, including Gemini. It’s a theoretical fear and there are standard password security practices that tech organizations like Google employ to prevent data breaches. These include encryption technologies, which encode data so that only authorized parties can access it for multiple stages of the password generation and storage process, and hashing, a one-way data conversion process that’s intended to make data reverse-engineering hard to do. You could also use any other LLM like ChatGPT to generate a strong password manually, although I feel like Google knows more about how to do this, and I’d only advise experimenting with that if you’re a software data professional. It’s not a bad idea as a proposition and a use of AI that could actually be very beneficial for users, but Google will have to put an equal (if not greater) amount of effort into making sure Gemini is bolted down and as impenetrable to outside attacks as can be. If it implements this and by some chance it does cause a huge data breach, that will likely damage people’s trust of LLMs and could impact the reputations of the tech companies, including Google, who are championing them. YOU MIGHT ALSO LIKE... 'The party is over for developers looking for AI freebies' — Google terminates Gemini API free access Google has fixed an annoying Gemini voice assistant problem – and more upgrades are coming soon Google Gemini is its most powerful AI brain so far – and it’ll change the way you use Google View the full article

Security is one of the biggest issues facing businesses of all sizes today, with new threats and cyberattacks hitting the headlines seemingly every day. It may sound obvious, but using a strong and unique password remains one of the most effective ways to keep your systems and data safe and secure, providing stringent safeguards to keep hackers and criminals at bay. But with so many different passwords to remember for so many different online services, dealing with passwords can sometimes feel like a huge amount of pressure, and might lead your workers to taking the easy-to-remember route, potentially putting your business at risk of attack. So if you're looking to lessen password fatigue across your organization, you need a password manager that's not only well-protected, but easy to use and intuitive as well - and Passwork could be the partner for you. (Image credit: Passwork) Passwork is specifically designed to solve workplace password woes, targeting pain points around security that keep IT admins awake at night. The platform stores all data on your company servers, meaning nothing is transferred to the cloud, where it might fall victim to attack or breach. Data is secured using the super-secure AES-256 algorithm, and can run across PHP and MongoDB, and installed on Windows or Linux, either with or without Docker. Access is governed by administrators who are able to manage and grant permissions, track password changes and usage, and can even conduct security audits, meaning your protections are all managed in-house, without external systems or figures being involved. (Image credit: Passwork) Once set up, your administrator can control exactly who has access to which systems, with the ability to invite colleagues and add access rights across different services where required. If a new employee joins your business, you can quickly set them up with the tools and passwords they need, without needing to carry out lengthy onboarding, allowing them to get up to speed quickly. And if an employee leaves the business, their access to your files and systems can be easily and quickly restricted, with affected passwords quickly flagged to be changed, this will eliminate possible risks in such a situation. (Image credit: Passwork) Passwork looks to be incredibly accessible and flexible too — a browser extension means administrators and users alike can quickly access the platform while working, while a mobile app also gives access on the go for those workers who may be travelling a lot. Passwork has already been trusted by hundreds of businesses around the world, and also prides itself on its openness — the company's source code is open, meaning it can be examined for any flaws or vulnerabilities. So if you're looking to upgrade your security protections, Passwork could be the ideal first step — to find out more, visit its website here. View the full article

Retro tech enthusiast Bob Pony recently shared an image of an old Toshiba Satellite laptop’s parallel port sprouting a tangle of contorted paperclips - showcasing an unofficial BIOS reset method. View the full article

Disney plans to start cracking down on Disney+ password sharing starting in June, Disney CEO Bob Iger said in an interview with CNBC earlier this week. Iger said that Disney needs to turn its streaming business into a growth business, and one way to do that is to force households that are sharing passwords to sign up for their own accounts. "In June, we'll be launching our first real foray into password sharing," said Iger. "Just a few countries and a few markets, but then it will grow significantly with a full rollout in September." Iger did not clarify where the password sharing lockdown will start, but it sounds like it will be largely worldwide when September rolls around. Disney+ competitor Netflix put a stop to multi-household password sharing in 2023, and it ended up being a major revenue driver for the company. Netflix saw strong subscriber growth, gaining 8.8 million new subscribers in Q3 2023 after cracking down on password sharing. Iger said that he admires what Netflix has done, calling the company the "gold standard in streaming." Netflix is the gold standard in streaming. They've done a phenomenal job in a lot of different directions. I actually have very, very high regard for what they've accomplished. If we can only accomplish what they've accomplished, that would be great. Disney+ launched in 2019, and since then it has grown into the number two streaming service in terms of subscribers after Netflix. Prior to when Iger returned to Disney 2022, Disney+ was bleeding money as Disney focused on subscriber growth. Disney+ will see its first profitable quarter in the fourth fiscal quarter of 2024 under Iger's leadership. Disney's streaming service has more than 110 million subscribers worldwide, and it has been integrating Hulu content into Disney+ in order to boost customer engagement. Disney+ is now priced at $10.99 per month for an ad-free subscription, or $7.99 for a subscription with ads.Tags: Disney, Disney Plus This article, "Disney+ Password Sharing Crackdown to Start in June" first appeared on MacRumors.com Discuss this article in our forums View the full article

The White House put out an official letter warning of severe cyberattacks directed at water and wastewater infrastructure across the country. The post Strong Passwords: A Keystone of Cybersecurity for Water and Wastewater Infrastructure appeared first on Enzoic. The post Strong Passwords: A Keystone of Cybersecurity for Water and Wastewater Infrastructure appeared first on Security Boulevard. View the full article

AT&T has initiated a mass reset of millions of customer account passcodes following a reported data breach. The post Millions Impacted in Mass Passcode Reset of AT&T Accounts appeared first on Enzoic. The post Millions Impacted in Mass Passcode Reset of AT&T Accounts appeared first on Security Boulevard. View the full article

American telecommunications behemoth AT&T has finally confirmed the authenticity of the 2021 data breach that spilled sensitive user information on the dark web, and has initiated a mass reset of user passcodes. Roughly three years ago, privacy blog RestorePrivacy broke the news of a hacker selling sensitive data belonging to more than 70 million AT&T customers. The data allegedly contained people’s names, phone numbers, postal addresses, email addresses, social security numbers, and dates of birth. While AT&T initially denied the breach, saying the data wasn’t from the company, the hacker, going by the name “ShinyHunters” said the organization will likely continue denying until they leak it all. Mass reset Surely enough, last month, a seller published the full database, affecting 73 million people - and TechCrunch analyzed the database, confirming its authenticity, and also establishing that it contained user passcodes, prompting a swift alert towards AT&T. Passcodes are four-digit numbers that work as the second security layer, and are used to access user accounts. Even though they were encrypted, some researchers argued that it is something that can be worked around. Apparently, there is not enough randomness in the encrypted data, which means that in theory, a threat actor could guess the passcode. It seems the threat is more than just theoretical, as AT&T initiated a mass-reset of the passcodes over the weekend. “AT&T has launched a robust investigation supported by internal and external cybersecurity experts,” the company said in a statement published on Saturday. “Based on our preliminary analysis, the data set appears to be from 2019 or earlier, impacting approximately 7.6 million current AT&T account holders and approximately 65.4 million former account holders.” “AT&T does not have evidence of unauthorized access to its systems resulting in exfiltration of the data set,” the statement said. While the telco did confirm the breach, it says that it still doesn’t know where the data came from, whether it was directly from its servers, or from its vendors. More from TechRadar Pro Hot Topic confirms multiple new cyberattacks — customer details and payment info exposed onlineHere's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article

Networking giant Cisco has warned its users of an ongoing attack against its business VPN services. In a security advisory, Cisco said it had been notified of an ongoing password-spraying attack against different third-party VPN concentrators. In this instance, it was Remote Access VPN (RAVPN) services configured on Cisco Secure Firewall that were affected. Russian attackers “Depending on your environment, the attacks can cause accounts to be locked, resulting in Denial of Service (DoS)-like conditions,” Cisco explained, saying that the activity appears to be a reconnaissance effort. The threat actors were not named. Password spraying is a type of attack in which the threat actor tries the same password with multiple accounts, until one combination works. Listing its set of defenses and mitigations, Cisco recommended enabling logging to a remote syslog server for improved correlation and auditing of network and security incidents across various network devices; securing default remote access VPN profiles by pointing unused default connection profiles to sinkhole AAA servers; leveraging TCP shun to manually bloc dangerous IP addresses, configuring control-place ACLs to block unauthorized public IP addresses from running VPN sessions; and using certificate-based authentication for RAVPN. Security researcher Aaron Martin claims the attack was likely the work of an undocumented malware botnet named Brutus. He made the connection after observing the malware’s targeting scope and attack patterns, it was said. In his analysis of the botnet, Martin said it counts some 20,000 IP addresses worldwide. At first, the attacks targeted SSLVPN appliances from Fortinet, Palo Alto, SonicWall, and Cisco, but have since evolved to include web apps using Active Directory for authentication, too. To avoid raising any flags, Brutus rotates its IPs every six attempts. Although inconclusive, some evidence points to Brutus being the work of APT29, an infamous Russian state-sponsored threat actor. Via BleepingComputer More from TechRadar Pro What is credential stuffing, and how does it work?Here's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article

PlayStation account owners will soon be able to start using a passkey as an alternative to a password when logging into a PlayStation account on the web, in an app, or on a PlayStation device. Passkey integration is set to be introduced at some point today, and users will be able to log in and authenticate their accounts with Face ID, Touch ID, or a device passcode on an iPhone. Passkeys are considered more convenient and secure than a traditional password, with sign-ins streamlined through biometric authentication. Passkeys are resistant to online attacks such as phishing because there's no password to steal and no one-time SMS code that can be intercepted. Apple has supported passkeys since 2022, and passkeys are available on iOS 16 and later, iPadOS 16 and later, and macOS Ventura and later. Many companies have been implementing support for passkeys, including Twitter, Google, PayPal, Best Buy, Microsoft, and eBay.Tag: Passkeys This article, "PlayStation Adds Support for Passkeys as Password Alternative" first appeared on MacRumors.com Discuss this article in our forums View the full article

Some of the most popular mobile password managers on Android have a serious security flaw that could cause the worst problem possible for users - leaking their credentials. Known as "Autospill," the vulnerability involves a bug in the autofill function on Android devices. It was discovered by researchers at the International Institute of Information Technology (IIIT) Hyperabad, who presented their findings at the recent Black Hat Europe conference. Autospill security risk The problem arises when an app login page is loaded in WebView, which is Google's engine for letting developers display web content inside an app without going into a browser. This confuses the password manager about where to autofill the password, and instead it can mistakenly "expose the credentials to the base app," Ankit Gangwal, one of the researchers involved, told TechCrunch. What it should do is autofill a user's credentials in the WebView login page that appears in the app. Gangwal cautions that this poses a significant threat in the case of malicious apps, as they could exploit the flaw to gain a user's credentials automatically, without the need to run phishing campaigns. The password managers that the researchers claim to have tested the flaw on include 1Password, LastPass, Keeper, and Enpass - some of the most popular and best password managers around. They also said that the Android devices they used were new and up-to-date. Apparently, most of the aforementioned apps were vulnerable to Autospill, even when JavaScript injection was disabled. When enabled, however, all of them were susceptible to the flaw. Google and the relevant password managers have been notified of the flaw. 1Password told TechCrunch that it will be working to fix the flaw, while Keeper asked for a video demonstration of the flaw in action. After seeing it, Keeper CTO Craig Lurey believed that, "the researcher had first installed a malicious application and subsequently, accepted a prompt by Keeper to force the association of the malicious application to a Keeper password record." Lurey further defended the security posture of Keeper by saying it has, "safeguards in place to protect users against automatically filling credentials into an untrusted application." He also advised the researchers share their findings with Google, as the problem relates to the Android platform specifically. LastPass told TechCrunch that it already had a pop-up warning in place to alert users of potential autofilling dangers, but in light of the research said it will now add "more informative wording" to the notification. The researchers said they will be testing the flaw on iOS devices too. Update 12/8: Since the publication of this article, A Google spokesperson reached out to TechRadar Pro to explain that the flaw, "is related to how password managers leverage the autofill APIs when interacting with WebViews. We recommend third-party password managers be sensitive as to where passwords are being inputted, and we have WebView best practices that we recommend all password managers implement. Android provides password managers with the required context to distinguish between native views and WebViews, as well as whether the WebView being loaded is not related to the hosting app." MORE FROM TECHRADAR PRO These are the best identity theft protection tools aroundiPhone and Mac users beware - this dangerous new iOS and macOS security flaw might see you give up your password without knowingExploring the risks and benefits of password managers View the full article

This Safari vulnerability has not been exploited in the wild. Apple offers a mitigation, but the fix needs to be enabled manually.View the full article

I try not to write about ongoing work—if it is important enough to blog about then it is important enough to write about in the work product, and blog about something else. But every once in a great while, the need overrides my simple rule. After all, zealous adherence to rules is not really a […] The post The Other Reasons for Password Management appeared first on DevOps.com. View the full article

Short for Secure Shell, SSH is a secure network protocol that encrypts traffic between two endpoints. It allows users to securely connect and/or transfer files over a network. SSH is mostly used by network View the full article