Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Hack-able Passwords. Show all posts

Best Practice Tips for Password Administration from Tech Security Insiders



Passwords have been an industry-standard as well as industry headache for a considerable length of time and their administration henceforth has become the misery of end-users and IT administrators, yet there are alternatives to take advantage of the experience and reduce their headaches.

And so here are several industry experts discussing the challenges of and solutions to passwords.


  1. Matt Davey, COO at 1Password, an online password management provider; 
  2. Daniel Smith, head of security research at Radware, a security solutions provider; 
  3. Rick McElroy, principal security strategist at VMware Carbon Black, a virtual security platform; Matt Wilson, chief information security advisor at BTB Security, a security solutions provider; 
  4. And Ben Goodman, CISSP and senior vice president of global business and corporate development at identity platform provider ForgeRock.


The first issue discussed was the current challenges faced with passwords, Matt Davey was of the view that “Even though for many years we've relied on passwords to securely access the apps and services we use daily, both at home and at work. Today, as many of these services move to the cloud and breaches become bigger and more frequent, password authentication is even more critical, particularly for enterprises.”

Whereas Matt Wilson says, “Since the dawn of the first password we've struggled with largely the same issues; selecting strong, unique, passwords, remembering and storing them, and changing them periodically. People pick bad passwords and share them across multiple accounts for a very simple reason: It's easier to remember.

As attackers have developed and refined their toolsets, they've increased their capabilities to attack our accounts. Their speed of attack, the volume of guesses, the ability to mask their location/identity, and the "intelligence" they've developed to make better guesses make protecting our accounts more difficult than ever before.”

The second topic of discussion was the remedies and as per Daniel Smith, “Password hygiene is one of the biggest problems that both organizations and individual users face today. One of the easiest ways to combat and remedy the issue with password hygiene is through the use of a password manager and the use of multi-factor authentication.

Using a password manager naturally encourages users to not reuse passwords, and there are plenty of user-friendly options available to both consumers and the enterprise. Multi-factor authentication simply creates an extra step for accessing any account, and can be the barrier needed to stopping unwanted access.”

But when the last question was addressed i.e. what will replace the password problem in the future. Rick McElroy was quick to answer by referring to the current state of pandemic observed by the world, he says, “Short term, it looks like hand and fingerprint biomarkers, two-factor authentication with a mobile device and, in a post-COVID-19 world, facial recognition will be rolled out faster than ever. At some point in the future, DNA will probably be used to verify identity in the medical field but may not be applied to say a laptop and windows login currently.

Long term, I could see a future where a combination of measurements like a heartbeat and brain waves could be used. These types of identification systems are already being beta tested on battlefields to ensure the right criminals and insurgents are being arrested and to protect innocent lives. I would not be shocked to see that deployed at some point in the future.”

And lastly, Ben Goodman was of the opinion that, “Passwords should become a thing of the past. Today, organizations can solve the challenges that come with passwords by leveraging technology that can provide a passwordless user journey.

By adopting a passwordless approach, organizations provide users with frictionless, secure digital experiences. With the use of biometrics or push notifications, organizations can bring the same effortless authentications users have experienced on their smartphones, with technologies like FaceID from Apple or Samsung's Ultrasonic Fingerprint scanner, to every digital touchpoint while ensuring security.”

And since as a feature of an intelligent authentication strategy, passwordless authentication empowers future-proof access so as to improve the customer experience and guaranteeing security by pushing suspicious users to 'additional verification'.

So it is clearly evident from this above discourse that organizations don't have to wait for any further to comprehend and solve password issues: If only they choose the correct arrangement, passwordless verification is conceivable even today.

Google stored G Suite passwords in plaintext, apologises


Google says a small number of its enterprise customers mistakenly had their passwords stored on its systems in plaintext.

If you have a Google account, Google's core sign-in system is designed not to know your password.
The search giant disclosed the exposure Tuesday but declined to say exactly how many enterprise customers were affected. “We recently notified a subset of our enterprise G Suite customers that some passwords were stored in our encrypted internal systems unhashed,” said Google vice president of engineering Suzanne Frey.

The company said that only G Suite enterprise customers were impacted, but not regular Gmail accounts.

The tech giant said it had notified G Suite administrators to change the impacted passwords.

Google on Wednesday extended an apology to its G Suite customers.

"We apologise to our users and will do better," she added.

Most G Suite customers are companies that signed-up for enterprise versions of Gmail, Google Docs, Google Sites, Google Drive, and Google's various other services.

No consumer Gmail accounts were affected by the security lapse, said Frey.

Storing passwords without cryptographic hashes expose them to hacking risk as they become readable.

Passwords are typically scrambled using a hashing algorithm to prevent them from being read by humans. G Suite administrators are able to manually upload, set and recover new user passwords for company users, which helps in situations where new employees are on-boarded. But Google said it discovered in April that the way it implemented password setting and recovery for its enterprise offering in 2005 was faulty and improperly stored a copy of the password in plaintext.

Google has since removed the feature.

Google said the bug at the heart of this security breach was an old tool it developed back in the 2000s.

"The tool (located in the admin console) allowed administrators to upload or manually set user passwords for their company's users," the company said today.

Facebook leaks millions of Instagram passwords

2018 – What a year was it for Facebook! Data scandals and security leaks, issues from Cambridge Analytica and trails by authorities, Facebook have gone under every shit it’s connected with.

And the problems just keep coming in 2019. And in this year, it seemed to have enough already by internal probs, where is announced in a blog post last month saying, “Millions of users passwords were stored in a readable format in their databases!”

Just a day after the social networking giant admitted that it "unintentionally" uploaded email contacts of nearly 1.5 million of new users, Facebook has now revealed that it exposed millions of Instagram users' passwords in a data-security lapse. The password exposure is part of the security breach that was first reported last month by Krebs on Security. Admitting the security blunder, Facebook has said that the company it stored passwords of millions of users in plain text on its internal servers.

However, at that time Facebook claimed that “hundreds of millions of Facebook Lite users” and “tens of millions of other Facebook users” have been affected. Incidentally, the company has chosen just to update the old blog post while making the new revelation. "This is an issue that has already been widely reported, but we want to be clear that we simply learned there were more passwords stored in this way," a Facebook spokesperson said in a statement. Here's all you need to know about this latest 'password leak' from Facebook ...

The process was unintentional – according to Facebook – and happened when users were prompted for their password as part of a security verification process. It's been going on since May 2016 but Facebook says its now deleting all the scraped data.

In the updated post Facebook says: We will be notifying these users as we did the others.

100,000 Most Hack-able Passwords and Tips to Steer Clear of Them!




Keeping a password is an essential requirement and it stands a high stand in keeping a person’s private life, Private.

The need emerges from the necessity of keeping your stuff (any sort) locked away from people who don’t need to see it and from people who got no business of seeing it.

Hence, looking and raking for that almost perfect password is super necessary. Especially with all these hackers and cyber-cons always round the corner.

One thing to always keep in mind is that if a password is even mildly easy for a user to keep in mind, it is super easy for a hacker to hack.

Per the UK’s Cyber Security Center Breach analysis, the password, “123456 was found to be used 23 million times during breaches.

That password was followed by a “12345678 in the list, which was found to be used around 7 million times in the breaches.

The most horrendously obvious password used are, “123456” and “password”.

Other passwords on the list were, “ashley”, “michael”, “qwerty” and “1111111”.

The following is the link to the top 100,000 most hack-able passwords.



A Few Tips!

1.    A strong password should have at least six characters which include a combination of upper cases, lower cases, symbols and number.

2.  If your passwords happen to match with the ones in the list change them as soon as possible.

3.  The very first step to take could be thinking of difficult to guess passwords by combining memorable plus random words.

4.  The more creative the password the safer the account it protects.


5.  Complexity is a must.

6.  Enforce strong password policy on every account possible.

7.   Check the password regularly and use 2FA (Factor Authentication) for major sites, accounts especially emails etc.

8.  All the passwords should be unique for all the different sites and accounts.

9.  All the default passwords must be changed because the IT department always has a list.

Other ways of protecting include using a password manager for less important websites and accounts.