Configure Windows telemetry in your organization (Windows 10)

Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user’s device. If we determine that sensitive information has been inadvertently received, we delete the information.

Source: Configure Windows telemetry in your organization (Windows 10)

Statistics Will Crack Your Password

This means that the top 13 unique mask structures make up 50% of the passwords from the sample. Over 20 million passwords in the sample have a structure within the top 13 masks.

via Statistics Will Crack Your Password.

Based on analyzing the data, there are logical factors that help explain how this is possible. When users are asked to provide a password that contains an uppercase letter, over 90% of the time it is put as the first character. When asked to use a digit, most users will put two digits at the end of their password (graduation year perhaps)

Web privacy is the newest luxury item in era of pervasive tracking

Another is Ekko.net, a privacy-focused service that is currently invite-only. It gives users the ability to create policies that govern specific accounts or even communications, explains Ekko.net founder Rick Peters. For example, a user might decide to assign a password to protect a specific e-mail thread, text message, or social media communication. Or they might set a “self destruct” date for a message, causing it to be erased at a predetermined time.

via Web privacy is the newest luxury item in era of pervasive tracking – CSMonitor.com.

Will tools such as Blur and Ekko.net tilt the playing field in favor of consumers and their privacy?

Privacy experts say: Probably not.

Over a Billion Passwords Stolen?

As expected, the hype is pretty high over this. But from the beginning, the story didn’t make sense to me. There are obvious details missing: are the passwords in plaintext or encrypted, what sites are they for, how did they end up with a single criminal gang? The Milwaukee company that pushed this story, Hold Security, isn’t a company that I had ever heard of before. I was with Howard Schmidt when I first heard this story. He lives in Wisconsin, and he had never heard of the company before either. The New York Times writes that “a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic,” but we’re not given any details. This felt more like a PR story from the company than anything real.

via Schneier on Security: Over a Billion Passwords Stolen?.

From: Krebs on Security in an article entitled Q&A on the Reported Theft of 1.2B Email Accounts

These actors — mostly spammers and malware purveyors (usually both) — focus on acquiring as many email addresses and account credentials as they can. Their favorite methods of gathering this information include SQL injection (exploiting weaknesses in Web sites that can be used to force the site to cough up user data) and abusing stolen credentials to steal even more credentials from victim organizations.

Overall Krebs trusts some researcher who claims to have seen this data first hand.  According to Krebs:

I’ve known Hold Security’s Founder Alex Holden for nearly seven years.

and

Alex isn’t keen on disclosing his methods, but I have seen his research and data firsthand and can say it’s definitely for real.

Critical vulnerabilities in web-based password managers found

The five password managers they analyzed are LastPass, RoboForm, My1Login, PasswordBox and NeedMyPassword, and they did it to evaluate their security in practice, and to provide pointers to “guide the design of current and future password managers.”

“Widespread adoption of insecure password managers could make things worse: adding a new, untested single point of failure to the web authentication ecosystem. After all, a vulnerability in a password manager could allow an attacker to steal all passwords for a user in a single swoop,” they pointed out, and are advocating a defense-in-depth approach.

via Critical vulnerabilities in web-based password managers found.

HealthCare.gov deferred final security check, could leak personal data

HealthCare.gov sends data to analytics providers such as Google’s DoubleClick and Pingdom. As Simo reviewed the Web requests being made as part of his movement through the HealthCare.gov site, he found requests sent to these two providers that included his visit to the password reset page—and all of the user data that was generated by the page. That runs counter to the privacy policy on HealthCare.gov, which states that no personally identifiable information will be collected by site analytics tools. This is the same sort of behavior that the Federal Trade Commission has fined social networks such as Facebook and MySpace for in the past.

via HealthCare.gov deferred final security check, could leak personal data | Ars Technica.

PayPal, Lenovo Launch New Campaign to Kill the Password with New Standard from FIDO Alliance

Under the standards put forward by the FIDO Alliance, the device a person is using to log in to an account would play a more central role in authentication. That would make it impossible to compromise accounts by stealing passwords, as hackers did in order to break into Twitter this month and LinkedIn last year.

via PayPal, Lenovo Launch New Campaign to Kill the Password with New Standard from FIDO Alliance | MIT Technology Review.

Requiring a person to offer both a password and a physically linked secondary proof is an approach known as “two-factor authentication.”

KeePass Password Safe

KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish). For more information, see the features page.

via KeePass Password Safe.

I haven’t tried this yet.  Using something like this requires a complete paradigm shift as to how one uses the web.  I currently have a password system in my head that has worked for quite some time.  It will be interesting how useful this is in real life use cases.  Having the ability to have some other entity remember usernames and passwords can lead to very secure authentication.  There will be no way to  authenticate however if one does not have contact to this password database which could be a problem.

New 25 GPU Monster Devours Passwords In Seconds

In a test, the researcher’s system was able to churn through 348 billion NTLM password hashes per second. That renders even the most secure password vulnerable to compute-intensive brute force and wordlist (or dictionary) attacks. A 14 character Windows XP password hashed using LM NTLM (NT Lan Manager), for example, would fall in just six minutes, said Per Thorsheim, organizer of the Passwords^12 Conference.

via Update: New 25 GPU Monster Devours Passwords In Seconds | The Security Ledger.