Entertaining, educational, and all in plain English 🎧📖
Category: Passwords
New research released by Specops Software outlines the most common Fortune 500 company names that show up in compromised password data. The Specops research team analysed an 800 million password subset of the larger Breached Password Protection database to obtain these results. Among the top ten, popular household names like Coca-Cola (16,710 appearances), Starbucks (3,800 appearances) and McDonald’s (2,270 times) appear.
The most common Fortune 500 company to have been found among passwords in the subset was Williams, relating to Shermin Williams and/or Williams Sonoma. “Williams” appears over 72,000 times. The full list, which also includes Microsoft and Bank of America, can be found here.
The research focuses on Fortune 500 company names with more than 8 letters. Short company names naturally have more matches due to the short string of letters matching other words (e.g. while “GE” is a Fortune 500 company, looking for “ge” in compromised password data would match many unrelated phrases).
It is important to note that, despite the companies showing up in these lists, this in no way indicates that they’ve suffered a breach or that their specific passwords have been leaked.
Darren James, Senior Product Manager at Specops Software, explained the results further: “There are many reasons a company name can show up in a compromised password. Whether it’s because the company name overlaps with another word or a consumer is a big fan, the fact remains that these names are showing up within passwords on wordlists attackers are using to attack networks. Organisations would always be smart to block the use of their own organisation name in their users’ passwords with a custom dictionary.”
This research comes shortly after the release of the Specops annual Weak Password Report, which found that ‘password’ is still the most common term used by hackers to breach enterprise networks.
The post Fortune 500 Company Names Found in Compromised Password Data appeared first on IT Security Guru.
Examples of dumb password rules.
There are some pretty bad disasters out there.
My worst experiences are with sites that have artificial complexity requirements that cause my personal password-generation systems to fail. Some of the systems on the list are even worse: when they fail they don’t tell you why, so you just have to guess until you get it right.
This is the result of a security audit:
More than a fifth of the passwords protecting network accounts at the US Department of the Interior—including Password1234, Password1234!, and ChangeItN0w!—were weak enough to be cracked using standard methods, a recently published security audit of the agency found.
[…]
The results weren’t encouraging. In all, the auditors cracked 18,174—or 21 percent—of the 85,944 cryptographic hashes they tested; 288 of the affected accounts had elevated privileges, and 362 of them belonged to senior government employees. In the first 90 minutes of testing, auditors cracked the hashes for 16 percent of the department’s user accounts.
The audit uncovered another security weakness—the failure to consistently implement multi-factor authentication (MFA). The failure extended to 25—or 89 percent—of 28 high-value assets (HVAs), which, when breached, have the potential to severely impact agency operations.
Original story:
To make their point, the watchdog spent less than $15,000 on building a password-cracking rig—a setup of a high-performance computer or several chained together - with the computing power designed to take on complex mathematical tasks, like recovering hashed passwords. Within the first 90 minutes, the watchdog was able to recover nearly 14,000 employee passwords, or about 16% of all department accounts, including passwords like ‘Polar_bear65’ and ‘Nationalparks2014!’.
Four straight-talking tips to improve your online security, whether you're a LifeLock customer or not.
Last August, LastPass reported a security breach, saying that no customer information—or passwords—were compromised. Turns out the full story is worse:
While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.
[…]
To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.
The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.
That’s bad. It’s not an epic disaster, though.
These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.
So, according to the company, if you chose a strong master password—here’s my advice on how to do it—your passwords are safe. That is, you are secure as long as your password is resilient to a brute-force attack. (That they lost customer data is another story….)
Fair enough, as far as it goes. My guess is that many LastPass users do not have strong master passwords, even though the compromise of your encrypted password file should be part of your threat model. But, even so, note this unverified tweet:
I think the situation at @LastPass may be worse than they are letting on. On Sunday the 18th, four of my wallets were compromised. The losses are not significant. Their seeds were kept, encrypted, in my lastpass vault, behind a 16 character password using all character types.
If that’s true, it means that LastPass has some backdoor—possibly unintentional—into the password databases that the hackers are accessing. (Or that @Cryptopathic’s “16 character password using all character types” is something like “P@ssw0rdP@ssw0rd.”)
My guess is that we’ll learn more during the coming days. But this should serve as a cautionary tale for anyone who is using the cloud: the cloud is another name for “someone else’s computer,” and you need to understand how much or how little you trust that computer.
If you’re changing password managers, look at my own Password Safe. Its main downside is that you can’t synch between devices, but that’s because I don’t use the cloud for anything.
News articles. Slashdot thread.
EDITED TO ADD: People choose lousy master passwords.
Many UK citizens have the habit of sharing passwords of online services with friends & family members, especially those related to streaming services. However, from now on it will be treated as a criminal offense as per the latest law termed by UK’s Intellectual Property Office (IPO).
Furthermore, using images without permission on social media platforms and accessing movies, games, sports events and TV series through fire sticks, Kodi boxes and other apps without paying a subscription fees will also be treated as a criminal offense from now on.
Factually speaking, Google has already termed usage of images without permission is illegal and breach of its law. And some companies like Netflix have also imposed a ban on password sharing.
Meaning, if a User A shares his/her online streaming service password with User B, and if the server that provides the service finds fault in the device or the IP address or geographical location change, it can term it as unauthorized access and blocks the user from accessing the content until further notice.
Either the User A is asked to change the password or is sent an alert about the discrepancy. And if they fail to react on time, the account gets suspended following a review.
Crown Prosecution Service (CPS) of England has been asked to supervise and deal with the latest password sharing issue and will impose a strict crackdown from the beginning of the new year.
The post British government bans sharing of Passwords appeared first on Cybersecurity Insiders.
For the past seven to eight months, we have been constantly reading or listening to Russia’s negative involvement in cybersecurity. Now, the latest that has been published by Group-IB claims Moscow’s involvement in the password stealing of over 50 million users.
Yes, according to a report compiled after analyzing over 34 telegram groups’ involvement in cybercrime, researchers from Group-IB have confirmed the involvement of hacking groups linked to the Kremlin stealing 50m passwords from about 890,000 user devices. And the report affirmed that the siphoning off credentials reportedly occurred in the first 9 months of this year.
Group-IB claims that many of the hackers were active members taking part in organized crime and were involved in automated scam-as-a-service campaigns spreading malware and espionage-related tools.
One such campaign is seen operating by spreading embedded links into popular gaming and music videos on YouTube, where victims are scammed and diverted to websites that coax customers into downloading mining software or data-stealing malware.
FYI, most of the stolen credentials were related to PayPal and Amazon, and some were related to gaming and crypto wallet-service offering websites.
Group IB’s Digital Risk Protection Team claims that the value of the stolen data could be $6 million and is urging online users to follow basic cyber hygiene while crafting passwords and securing an account with multi-factor authentication.
NOTE– Better to craft a password that has a minimum of 14 characters. It must be an alpha-numeric mixture of characters and must include 2-3 special characters. Using a 2FA such as an OTP authentication makes complete sense in securing an account from hackers.
The post Russia stole the passwords of 50 million users appeared first on Cybersecurity Insiders.
Every year, NordPass makes it a point to release a report on the most popular passwords that are being used in the UK and as usual, it released a report even in this year as well. So, according to its annual ‘Most Common Passwords’ reports online users in United Kingdom are still using words like 123456 and ILoveYou the most, followed by words or phrases such as Guest, Liverpool, Arsenal, Chocolate, Monkey, Football and the names of the celebrities that they most admire.
Concerningly, most of these passwords are easy to guess and can be cracked within a second or even less than it.
Among women, the most commonly used passwords proved to be Charlie, Trigger, sunshine, qwerty and 123456, as these words or phrases were easy to remember and type. And among the men’s folk, people were interested in using the names of their favorite football team or of those celebrities, mostly females.
Security experts are suggesting online users to use a safe and secure password to seal their accounts, as one let-down can cause a huge trouble. As most of them are easy to crack within a second or two.
At the same time, they are advising users to be very careful while choosing a password and are recommending to use a word or phrase that is 12-18 characters long and is tucked with one or two special characters words are hard to crack and may take 2-3 years for the hackers to guess. That too, after using an automated software visible in brute force attacks.
Remember, most of the service providers, like Google and Microsoft, are encouraging users to use a single password to access all of their services. So, under such circumstances, a single break-in could lead to copious amounts of data exposure and can tarnish the image of innocent online users within no time.
The post Most popular passwords are 123456 and ILoveYou appeared first on Cybersecurity Insiders.