Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user’s device. If we determine that sensitive information has been inadvertently received, we delete the information.
Overall, Ormandy wrote that he found over 70 APIs exposed to the Internet, not all of which he had investigated for security issues. He suggested Trend should hire an external consultancy to audit the code.
This means that the top 13 unique mask structures make up 50% of the passwords from the sample. Over 20 million passwords in the sample have a structure within the top 13 masks.
Based on analyzing the data, there are logical factors that help explain how this is possible. When users are asked to provide a password that contains an uppercase letter, over 90% of the time it is put as the first character. When asked to use a digit, most users will put two digits at the end of their password (graduation year perhaps)
Another is Ekko.net, a privacy-focused service that is currently invite-only. It gives users the ability to create policies that govern specific accounts or even communications, explains Ekko.net founder Rick Peters. For example, a user might decide to assign a password to protect a specific e-mail thread, text message, or social media communication. Or they might set a “self destruct” date for a message, causing it to be erased at a predetermined time.
Will tools such as Blur and Ekko.net tilt the playing field in favor of consumers and their privacy?
Privacy experts say: Probably not.
As expected, the hype is pretty high over this. But from the beginning, the story didn’t make sense to me. There are obvious details missing: are the passwords in plaintext or encrypted, what sites are they for, how did they end up with a single criminal gang? The Milwaukee company that pushed this story, Hold Security, isn’t a company that I had ever heard of before. I was with Howard Schmidt when I first heard this story. He lives in Wisconsin, and he had never heard of the company before either. The New York Times writes that “a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic,” but we’re not given any details. This felt more like a PR story from the company than anything real.
From: Krebs on Security in an article entitled Q&A on the Reported Theft of 1.2B Email Accounts
These actors — mostly spammers and malware purveyors (usually both) — focus on acquiring as many email addresses and account credentials as they can. Their favorite methods of gathering this information include SQL injection (exploiting weaknesses in Web sites that can be used to force the site to cough up user data) and abusing stolen credentials to steal even more credentials from victim organizations.
Overall Krebs trusts some researcher who claims to have seen this data first hand. According to Krebs:
I’ve known Hold Security’s Founder Alex Holden for nearly seven years.
Alex isn’t keen on disclosing his methods, but I have seen his research and data firsthand and can say it’s definitely for real.
The five password managers they analyzed are LastPass, RoboForm, My1Login, PasswordBox and NeedMyPassword, and they did it to evaluate their security in practice, and to provide pointers to “guide the design of current and future password managers.”
“Widespread adoption of insecure password managers could make things worse: adding a new, untested single point of failure to the web authentication ecosystem. After all, a vulnerability in a password manager could allow an attacker to steal all passwords for a user in a single swoop,” they pointed out, and are advocating a defense-in-depth approach.
Under the standards put forward by the FIDO Alliance, the device a person is using to log in to an account would play a more central role in authentication. That would make it impossible to compromise accounts by stealing passwords, as hackers did in order to break into Twitter this month and LinkedIn last year.
Requiring a person to offer both a password and a physically linked secondary proof is an approach known as “two-factor authentication.”
KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish). For more information, see the features page.
I haven’t tried this yet. Using something like this requires a complete paradigm shift as to how one uses the web. I currently have a password system in my head that has worked for quite some time. It will be interesting how useful this is in real life use cases. Having the ability to have some other entity remember usernames and passwords can lead to very secure authentication. There will be no way to authenticate however if one does not have contact to this password database which could be a problem.
In a test, the researcher’s system was able to churn through 348 billion NTLM password hashes per second. That renders even the most secure password vulnerable to compute-intensive brute force and wordlist (or dictionary) attacks. A 14 character Windows XP password hashed using LM NTLM (NT Lan Manager), for example, would fall in just six minutes, said Per Thorsheim, organizer of the Passwords^12 Conference.