Computer historians crack passwords of Unix’s early pioneers

Dennis MacAlistair Ritchie’s was “dmac”, Bourne’s was “bourne”, Schmidt’s was “wendy!!!” (his wife’s name), Feldman’s was “axlotl”, and Kernighan’s was “/.,/.,”.

Source: Computer historians crack passwords of Unix’s early pioneers / Boing Boing

and Ken Thompson’s was “p/q2-q4!” (chess notation for a common opening move).

LastPass bug leaks credentials from previous site

Attackers could lure users on malicious pages and exploit the vulnerability to extract the credentials users had entered on previously-visited sites. According to Ormandy, this isn’t as hard as it sounds, as an attacker could easily disguise a malicious link behind a Google Translate URL, trick users into visiting the link, and then extract credentials from a previously visited site.

Source: LastPass bug leaks credentials from previous site | ZDNet

Windows 10 Bundles a Password Manager. Password Manager Bundles a Security Flaw

“This potential vulnerability requires a Keeper user to be lured to a malicious website while logged into the browser extension, and then fakes user input by using a ‘clickjacking’ technique to execute privileged code within the browser extension,” said Craig Lurey, co-founder and CTO of Keeper Security.

Source: Windows 10 Bundles a Password Manager. Password Manager Bundles a Security Flaw

Configure Windows telemetry in your organization (Windows 10)

Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user’s device. If we determine that sensitive information has been inadvertently received, we delete the information.

Source: Configure Windows telemetry in your organization (Windows 10)

Statistics Will Crack Your Password

This means that the top 13 unique mask structures make up 50% of the passwords from the sample. Over 20 million passwords in the sample have a structure within the top 13 masks.

via Statistics Will Crack Your Password.

Based on analyzing the data, there are logical factors that help explain how this is possible. When users are asked to provide a password that contains an uppercase letter, over 90% of the time it is put as the first character. When asked to use a digit, most users will put two digits at the end of their password (graduation year perhaps)

Web privacy is the newest luxury item in era of pervasive tracking

Another is Ekko.net, a privacy-focused service that is currently invite-only. It gives users the ability to create policies that govern specific accounts or even communications, explains Ekko.net founder Rick Peters. For example, a user might decide to assign a password to protect a specific e-mail thread, text message, or social media communication. Or they might set a “self destruct” date for a message, causing it to be erased at a predetermined time.

via Web privacy is the newest luxury item in era of pervasive tracking – CSMonitor.com.

Will tools such as Blur and Ekko.net tilt the playing field in favor of consumers and their privacy?

Privacy experts say: Probably not.

Over a Billion Passwords Stolen?

As expected, the hype is pretty high over this. But from the beginning, the story didn’t make sense to me. There are obvious details missing: are the passwords in plaintext or encrypted, what sites are they for, how did they end up with a single criminal gang? The Milwaukee company that pushed this story, Hold Security, isn’t a company that I had ever heard of before. I was with Howard Schmidt when I first heard this story. He lives in Wisconsin, and he had never heard of the company before either. The New York Times writes that “a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic,” but we’re not given any details. This felt more like a PR story from the company than anything real.

via Schneier on Security: Over a Billion Passwords Stolen?.

From: Krebs on Security in an article entitled Q&A on the Reported Theft of 1.2B Email Accounts

These actors — mostly spammers and malware purveyors (usually both) — focus on acquiring as many email addresses and account credentials as they can. Their favorite methods of gathering this information include SQL injection (exploiting weaknesses in Web sites that can be used to force the site to cough up user data) and abusing stolen credentials to steal even more credentials from victim organizations.

Overall Krebs trusts some researcher who claims to have seen this data first hand.  According to Krebs:

I’ve known Hold Security’s Founder Alex Holden for nearly seven years.

and

Alex isn’t keen on disclosing his methods, but I have seen his research and data firsthand and can say it’s definitely for real.

Critical vulnerabilities in web-based password managers found

The five password managers they analyzed are LastPass, RoboForm, My1Login, PasswordBox and NeedMyPassword, and they did it to evaluate their security in practice, and to provide pointers to “guide the design of current and future password managers.”

“Widespread adoption of insecure password managers could make things worse: adding a new, untested single point of failure to the web authentication ecosystem. After all, a vulnerability in a password manager could allow an attacker to steal all passwords for a user in a single swoop,” they pointed out, and are advocating a defense-in-depth approach.

via Critical vulnerabilities in web-based password managers found.

HealthCare.gov deferred final security check, could leak personal data

HealthCare.gov sends data to analytics providers such as Google’s DoubleClick and Pingdom. As Simo reviewed the Web requests being made as part of his movement through the HealthCare.gov site, he found requests sent to these two providers that included his visit to the password reset page—and all of the user data that was generated by the page. That runs counter to the privacy policy on HealthCare.gov, which states that no personally identifiable information will be collected by site analytics tools. This is the same sort of behavior that the Federal Trade Commission has fined social networks such as Facebook and MySpace for in the past.

via HealthCare.gov deferred final security check, could leak personal data | Ars Technica.