Abine, the company behind the Blur password manager and the DeleteMe online privacy protection service, has revealed a data breach impacting nearly 2.4 million Blur users. The breach came to light last year, on December 13, when a security researcher contacted the company about a server that exposed a file containing sensitive information about Blur users.
The company said it followed this initial report with an internal security audit to determine the size of the breach. The audit concluded last week, and the company made the data leak public on Monday in a post on its blog.
Read more about the massive Blur data leak on ZDNet.
These are exciting times for authentication technologies. We’ve only just begun to explore a new world beyond passwords. Emerging alternatives abound, from biometrics to multifactor authentication (MFA) to behavioral analysis and many other innovative ideas.
Unfortunately, headlines can also lead us to believe a plethora of myths about passwords and the future of authentication. Before we can pick a path to follow into the future of authentication, we must first overcome these myths and misconceptions around passwords that are still widely held, even by security professionals.
If you thought passwords will soon be dead, think again. They’re here to stay — for now. Passwords are cumbersome and hard to remember — and just when you did, you’re told to change it again. And sometimes passwords can be guessed and are easily hackable.
Nobody likes passwords but they’re a fact of life. And while some have tried to kill them off by replacing them with fingerprints and face-scanning technology, neither are perfect and many still resort back to the trusty (but frustrating) password. How do you make them better? You need a password manager.
Read more about why you may want to start using a password manager on TechCrunch.
While the importance of keeping passwords secure is not a new idea, nearly half of companies are still struggling to get a handle on the issue, according to the LastPass 2018 Global Password Security Report. The report found that password sharing is common in the workplace, with employees sharing an average of six passwords with their coworkers.
Using anonymized data from more than 43,000 organizations, the report determined each company’s security score and password strength score. Even though publicity on the importance of password security has increased in the past year, the average password security score of organizations was found to be 52 out of 100.
Read more about the findings of the LastPass report on TechRepublic.
A new academic study reveals that Android-based password managers have a hard time distinguishing between legitimate and fake applications, leading to easy phishing scenarios.
The research looks at how password managers work on modern versions of the Android OS. The study found that mobile password managers aren’t as secure as desktop versions, and that they can be tricked into associating malicious apps with legitimate websites.
Read more about the findings of the new study on ZDNet.
AdGuard, a popular ad blocker for Android, iOS, Windows, and Mac, has reset all user passwords, the company’s CTO Andrey Meshkov announced. The company took this decision after suffering a brute-force attack during which an unknown attacker tried to log into user accounts by guessing their passwords. Meshkov said the attacker used emails and passwords that were previously leaked into the public domain after breaches at other companies.
This type of attack –using leaked usernames and passwords to hack into accounts at other services– is known as credential stuffing. The AdGuard CTO said attackers were successful in their assault and gained access to some AdGuard accounts, used for storing ad blocker settings.
Read more about the AdGuard credential stuffing attack on ZDNet.
Military and government users aren’t engaging in password hygiene any better than their brethren in less sensitive, private-sector positions, according to a new study by WatchGuard Technologies, which shows both sides creating weak passwords at about the same rate.
The report analyzed a data dump of 117 weakly encrypted credential pairs protected only with SHA-1 hash functions from a 2012 breach at LinkedIn. The study showed that credential pairs associated with .mil and .gov accounts were easily crackable — within a week — about 50% of the time. This was only slightly less than the rate of weak passwords in pairs associated with civilian accounts, which were at about 52%.
Read more about the findings of the new report on DarkReading.
Single sign-on (SSO) lets users avoid creating and managing accounts across different services, but what happens when that main, identity-providing account gets compromised? Can users remediate a takeover of that account and other accounts tied to it?
As it turns out, it’s definitely not easy. In fact, according to a group of researchers from the University of Illinois at Chicago, there’s a pressing need for a single sign-off option that will allow users to initiate a chain reaction of access-revocation operations that propagate across all associated accounts.
Read more about the new research into the single sign-on account hijacking threat on Help Net Security.
While most business leaders know no system is foolproof, they believe security rules should be as strict as possible in order to prevent a breach. However, evidence shows that stringent security measures can actually backfire, and can leave organizations more vulnerable than they were before.
In a recent survey conducted at the South by Southwest (SXSW) conference, researchers found that 83 percent of millennials value convenience more than safety, and nearly 60 percent value their time more than safety.
Read more about how you can overcome this problem by offering ‘user-friendly security’, which relies on having a strong identity and access management policy, on Help Net Security.
The death of passwords is predicted with regular frequency, but we’re still to see it actually happen. It’s possible that it will happen one day but, in the meantime, it would be helpful if popular online services would steer users towards choosing better passwords.
Professor of Information Security Steve Furnell at the the University of Plymouth has been looking at the password practices of the top ten English-speaking websites since 2007 and, unfortunately, there has been not much improvement.
Read more about the research by Steve Furnell which indicates that popular online services usually still allow users to secure their accounts with poor passwords, on Help Net Security.