Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Password Security. Show all posts
Password Security
Account security blocking unauthorized access Customer Data Cyber Security Data Safety User Data Password Security

Zello Urges Password Resets Amid Potential Security Incident

 

Zello, a widely used push-to-talk mobile service with over 140 million users, has advised customers to reset their passwords if their accounts were created before November 2, 2024. This precautionary measure follows what appears to be a new security concern, though the exact nature of the issue remains unclear. Zello's actions suggest possible unauthorized access to user accounts. 
 

Zello’s Advisory and User Notification 

 
Starting November 15, 2024, users began receiving notifications from Zello recommending password changes. The notification stated: > 

“As a precaution, we are asking that you reset your Zello app password for any account created before November 2nd, 2024. We also recommend that you change your passwords for any other online services where you may have used the same password.” 
 
The notification also provided a link to a support page with instructions on how to reset passwords through the Zello app. 

Potential Causes: Data Breach or Credential Stuffing? 

 
While Zello has yet to provide further clarification, the lack of detailed communication has raised concerns among users. Efforts by media outlets to obtain a response from the company have been unsuccessful. 
 

The timing and scope of the notice suggest two possibilities: 

 
1. A Data Breach – Unauthorized access to Zello’s systems, potentially compromising user data. 
2. Credential Stuffing – A cyberattack method where attackers use stolen login credentials from other platforms to gain access to Zello accounts. 
 
Notably, the advisory affects only accounts created before November 2, 2024, indicating that the security event may have occurred around that date. 


Past Security Incidents 

This is not the first time Zello has faced a security issue. In 2020, the company experienced a data breach that compromised customer email addresses and hashed passwords, prompting a similar password reset. 

The Importance of Cybersecurity for Essential Services 

 
Zello plays a critical role in communication for sectors such as first responders, transportation, and hospitality, making robust security measures essential. The incident underscores the importance of adopting strong cybersecurity practices: 
- Use Unique, Complex Passwords: Avoid reusing passwords across multiple platforms. 
- Enable Two-Factor Authentication (2FA): Adds an additional layer of security and significantly reduces the risk of unauthorized access. 

User Vigilance and the Need for Transparency 


While Zello’s proactive warning is a positive step, users are calling for greater transparency regarding the root cause of the issue and the measures being taken to prevent future incidents. Organizations like Zello, which support essential communication services, have a heightened responsibility to ensure platform integrity and promptly address security vulnerabilities. 
 
In the meantime, users are strongly encouraged to follow Zello’s instructions and reset their passwords immediately. Taking these precautions can help safeguard personal data and reduce exposure to potential cyber threats. 

As cybersecurity threats continue to evolve, both service providers and users must remain vigilant to ensure the safety and security of their digital ecosystems.
Read more »
Password Security
Acunetix vulnerability administrative privileges Cyber Security device takeover risk IoT device vulnerability Network Security Password Security

Critical Security Flaw in SEIKO EPSON Devices Allows Unauthorized Access

 

A recent security vulnerability identified as CVE-2024-47295 poses a serious risk for several SEIKO EPSON devices, potentially granting attackers administrative control. This vulnerability stems from a weak initial password setup within SEIKO EPSON’s Web Config software, which manages network device settings for products like printers and scanners.

Web Config, a tool for configuring SEIKO EPSON devices via web browsers, lacks an administrative password on affected models when first connected to a network without prior configuration. This absence of a password allows any network user to establish a new password, gaining full access to the device.

The vulnerability report notes, “If the administrator password on the affected device is left blank, anyone accessing it through Web Config can set a new password.” An attacker with administrative rights could manipulate device settings, interrupt operations, or use the device to infiltrate broader network systems.

Currently, there is no available patch to fix this vulnerability. SEIKO EPSON urges users to set an administrative password immediately upon installation and network connection. The company’s Security Guidebook stresses this step in section 3, advising users to configure Web Config settings and secure the device with a strong password to block unauthorized access and mitigate the risk of this exploit.

SEIKO EPSON also advises caution with all networked devices. Unsecured IoT devices are frequently targeted by cybercriminals, and the CVE-2024-47295 vulnerability has received a CVSS score of 8.1, highlighting its high-risk level. Best practices to reduce risk include:

  • Using Strong, Unique Passwords: Set complex passwords during initial setup and avoid defaults.
  • Restricting Network Access: Limit access to trusted users and networks only.
  • Monitoring Device and Network Activity: Regularly review configurations and monitor network traffic for unusual activity.
With these steps, users can enhance device security and safeguard against potential threats.
Read more »
User Security
Complex Password Cyber Security Password Entropy Password Security User Security

Complicated Passwords Make Users Less Secure, Security Experts Claim

 

Using a variety of character types in your passwords and changing them on a regular basis are no longer considered best practices for password management.

This is according to new standards published by the United States National Institute of Standards and Technology, which develops and publishes guidelines to assist organisations in safeguarding their information systems.

The new guidelines were published in September 2024 as part of NIST's second public draft of SP 800-63-4, the most recent iteration of its Digital Identity guidelines. 

Change in password recommendations

Over the years, conventional wisdom recommended having complex passwords that included upper and lower case characters, numbers, and symbols. This complexity was intended to make passwords difficult to guess or crack using brute force assaults. 

However, these complex requirements frequently resulted in users developing bad habits, such as repeating passwords or selecting too basic ones that barely fit the rules, such as "P@ssw0rd123." Over time, NIST discovered that this emphasis on complexity was counterproductive, compromising security in practice. 

In its most recent guidelines, NIST has shifted away from enforcing complexity limits and towards encouraging longer passwords. There are a number of causes for this shift: 

Customer behaviour 

According to research, users frequently fail to remember complicated passwords, prompting them to reuse passwords across several sites or rely on easily guessable patterns, such as substituting letters with similar-looking numbers or symbols. The necessity by many organisations to change your password every sixty to ninety days—a practice that NIST no longer advises—further encouraged this behaviour. 

Password entropy 

Password strength is frequently tested using entropy, a measure of unpredictability. In other words, the total number of possible password combinations. The greater the number of potential options, or entropy, the more difficult it is for cybercriminals to crack the password using brute-force or guessing techniques. 

While complexity can contribute to entropy, length has a far greater impact. A lengthier password with more characters offers an exponentially greater number of possible combinations, making it more difficult for attackers to guess, even if the characters are simple. 

Human element

Long passwords that are easy to remember, such as passphrases composed of multiple basic words. For example, "big dog small rat fast cat purple hat jelly bat" in password form is "bigdogsmallratfastcatpurplehatjellobat" without the spaces, which is both secure and user-friendly. 

A password like this provides a balance between high entropy and convenience of use, preventing users from engaging in risky behaviours such as writing down passwords or reusing them.
Read more »
YubiKey
Cyber Security Digital Identity Eucleak Password Security YubiKey

Protecting Your Digital Identity: The Impact of EUCLEAK on FIDO Devices

Protecting Your Digital Identity: The Impact of EUCLEAK on FIDO Devices

A new vulnerability has emerged that poses a significant threat to FIDO devices, particularly those using the Infineon SLE78 security microcontroller. Thomas Roche of Ninja Labs discovered the flaw. This vulnerability, dubbed “EUCLEAK,” has raised concerns among security experts and users alike, as it allows threat actors to clone YubiKey FIDO keys.

The EUCLEAK Vulnerability

EUCLEAK is a sophisticated attack that targets the Elliptic Curve Digital Signature Algorithm (ECDSA) secret keys stored within FIDO devices. These keys are crucial for the authentication process, ensuring that only authorized users can access certain systems and data. The ability to extract and clone these keys undermines the security of the affected devices, potentially allowing unauthorized access.

The attack requires physical access to the device, specialized equipment, and advanced knowledge in electronics and cryptography. This means that while the attack is technically feasible, it is not easily executed by the average threat actor. However, the implications of such an attack are severe, especially for high-value targets where physical access to devices is a realistic threat.

Impact on YubiKey Devices

Yubico’s YubiKey 5 Series, which is widely used for two-factor authentication (2FA) and other security purposes, is among the affected devices. Yubico has acknowledged the vulnerability and rated the risk as moderate. The company has emphasized that the attack’s complexity and the need for physical access mitigate the overall risk to users.

Despite this, the discovery of EUCLEAK highlights the importance of continuous vigilance and improvement in the field of cybersecurity. As attackers develop more sophisticated methods, security measures must evolve to stay ahead of potential threats.

Mitigation and Response

In response to the EUCLEAK vulnerability, Yubico and other manufacturers using the Infineon SLE78 microcontroller are likely to implement firmware updates and other security measures to protect their devices. Users are advised to stay informed about updates and follow best practices for device security, such as keeping their firmware up to date and being cautious about physical access to their devices.

Additionally, organizations that rely on FIDO devices for authentication should review their security policies and consider additional layers of protection. This might include using multiple forms of authentication and regularly auditing their security infrastructure to identify and address potential vulnerabilities.

Impact on Companies vs Users

The EUCLEAK vulnerability has far-reaching impact on the cybersecurity landscape. For one, it highlights the evolving nature of security threats. Even devices designed with robust security measures can be vulnerable to sophisticated attacks. This realization should prompt both manufacturers and users to adopt a mindset of continuous improvement and vigilance.

For manufacturers, this means investing in ongoing research and development to identify and mitigate potential vulnerabilities before they can be exploited. It also means being transparent with users about risks and providing timely updates and support.

For users, the EUCLEAK vulnerability says a lot about the importance of physical security. While digital threats often dominate the conversation, physical access to devices remains a critical vector for attacks. 

Users should be mindful of where and how they store their security keys and consider additional protective measures, such as using tamper-evident seals or secure storage solutions.
Read more »
Stolen Credentials
Credential Theft Cyber Security Cyber Threats initial access breaches Malware attacks Password Security Stolen Credentials

Rising Threat of Stolen Credentials and Initial Access Breaches

 

Weak or reused passwords continue to pose significant risks for organizations, as criminals increasingly exploit stolen credentials to access user accounts. This trend has fueled a thriving market for stolen credentials and the initial access they provide. The ENISA Threat Landscape 2023 report highlights a year-over-year growth in the Initial Access Broker (IAB) market, with credentials being the primary commodity for sale.

Stealer malware frequently infiltrates victim machines through social engineering tactics, primarily phishing, and sometimes through paid distribution schemes using the Emotet and Qakbot botnets. Other campaigns entice users to download seemingly legitimate software via malvertising.

ENISA anticipates that future social engineering campaigns will adapt to new defensive measures aimed at protecting credentials from abuse.

Increasing Challenges with Stolen Credentials
Organizations face growing challenges with stolen credentials. The Verizon 2024 Data Breach Investigation Report (DBIR) reveals a 180% increase in attacks exploiting vulnerabilities to initiate breaches compared to the previous year. Stolen credentials were the leading initial action in breaches, accounting for 24%, just ahead of ransomware at 23%.

Fraudsters employ various methods to steal credentials, including malware that steals passwords and sells them on the dark web. Popular tools for this purpose include Redline, Vidar, and Raccoon Stealer. The FBI has warned of cybercriminals using search engine advertisements to impersonate brands and direct users to malicious sites that host ransomware to steal login credentials.

Credentials can also be compromised through brute force attacks, where cybercriminals use tools to test password combinations until the correct one is found. These methods range from simple trial and error to more sophisticated dictionary attacks, exploiting common password choices.

Potential for Major Breaches
The Solarwinds attack, described by Microsoft Corp President Brad Smith as "the largest and most sophisticated attack the world has ever seen," exemplifies the potential danger of stolen credentials. A compromised SolarWinds password was discovered on a private Github repository, where an intern had set the password "solarwinds123" on an account with access to the company's update server.

Other notable examples include the Dropbox breach, which impacted millions of users. A Dropbox employee reused a password from a LinkedIn breach, where millions of passwords were accessed by thieves.

ENISA notes that while abusing valid accounts for initial access is not a new technique, it remains effective for cybercriminals. Misconfigured accounts and those with weak passwords are particularly vulnerable. Although multi-factor authentication (MFA) can prevent many attacks, it is not foolproof, with actors intercepting MFA codes and harassing users with push notifications.

ENISA expects credentials to remain a focal point for cybercrime actors despite technical protective measures, as these actors continually find ways around them.

Cybersecurity experts recognize the danger of stolen credentials and the necessity of strong security measures. However, complacency is not an option. The threat posed by stolen credentials is constantly evolving, necessitating ongoing adaptation.

Organizations must enforce the creation of strong passwords resistant to brute force attacks and other forms of exploitation. Specops Password Policy can help build robust password policies by:

  • Generating personalized dictionary lists to prevent the use of commonly used words within the company.
  • Providing immediate and interactive updates to users when changing passwords.
  • Restricting the use of usernames, display names, certain words, consecutive characters, incremental passwords, and repeating parts of previous passwords.
  • Applying these features to any GPO level, computer, individual user, or group within the organization.
  • Continuously scanning for and blocking over 4 billion compromised passwords, ensuring that breached passwords are found daily.
Increasing overall password security, enforcing good password hygiene, and eliminating weak passwords enhance the security of Active Directory environments and privileged accounts. Organizations must prepare their defenses by scanning for password vulnerabilities in Active Directory to detect weak and compromised passwords.
Read more »
Password Security
Cyber Hacking Cyber Security data security Hacker attack Password Password Hacking Password Security

The Race Against Time: How Long Does It Take to Crack Your Password in 2024?

In the ever-evolving landscape of cybersecurity, the battle between hackers and defenders rages on. One of the fundamental elements of this battle is the strength of passwords. As technology advances, so too do the methods and tools available to hackers to crack passwords. 

In 2024, the time it takes to crack a password depends on various factors, including its length, complexity, and the resources available to the hacker. Gone are the days when a simple six-character password could provide adequate protection. With the increasing computational power of modern machines and the prevalence of sophisticated hacking techniques, such passwords can be cracked in mere seconds. In 2024, the gold standard for password security lies in lengthy, complex combinations of letters, numbers, and symbols. 

So, how long does it take for a hacker to crack a password in 2024? The answer is not straightforward. It depends on the strength of the password and the methods employed by the hacker. For instance, a short, simple password consisting of only lowercase letters can be cracked almost instantly using a brute-force attack, where the hacker systematically tries every possible combination until the correct one is found.  

However, longer and more complex passwords present a significantly greater challenge. In 2024, state-of-the-art hacking tools utilize advanced algorithms and techniques such as dictionary attacks, where common words and phrases are systematically tested, and rainbow tables, which are precomputed tables used to crack password hashes. These methods can significantly reduce the time it takes to crack a password, but they are still thwarted by sufficiently strong passwords. 

The concept of password entropy plays a crucial role in determining its strength against cracking attempts. Password entropy measures the randomness or unpredictability of a password. A password with high entropy is more resistant to cracking because it is less susceptible to brute-force and dictionary attacks. In 2024, experts recommend using passwords with high entropy, achieved through a combination of length, complexity, and randomness. 

To put things into perspective, let's consider an example. A randomly generated 12-character password consisting of uppercase and lowercase letters, numbers, and symbols has an extremely high entropy. Even with the most advanced cracking techniques available in 2024, it could take billions or even trillions of years to crack such a password using brute-force methods. 

However, the human factor remains a significant vulnerability in password security. Despite the availability of password managers and education on password best practices, many people still choose weak passwords or reuse them across multiple accounts. This behavior provides hackers with ample opportunities to exploit security vulnerabilities and gain unauthorized access to sensitive information. 

The time it takes for a hacker to crack a password in 2024 varies depending on factors such as password strength, hacking techniques, and computational resources. While advances in technology have empowered hackers with increasingly sophisticated tools, the key to effective password security lies in employing strong, unique passwords with high entropy. By staying vigilant and adopting best practices, individuals and organizations can fortify their defenses against malicious cyber threats in the digital age.

Read more »
Password Security
Credential Cyber Security CyberCrime Information Security Password Password Management Password Security

Strengthening Password Security: Addressing Misconceptions and Best Practices

 

According to recent research by the Institution of Engineering and Technology (IET), conducted to mark World Password Day, only one in five people in the UK can correctly identify a secure password over a risky one. This alarming statistic underscores the widespread lack of awareness and understanding when it comes to password security among the public. 

The study revealed that despite expressing concern about the possibility of being hacked in the future, a significant portion of the population continues to engage in risky password practices. For example, 20% of respondents admitted to using the same password for multiple websites and devices, a practice strongly discouraged by cybersecurity experts. 

Additionally, many individuals rely on easily guessable passwords, such as pet names or significant dates, further compromising their online security. Despite the prevailing fear of cyber threats, there exists a notable discrepancy between public perception and best practices in password security. While 84% of respondents believe that hackers are becoming more inventive, many still hold misconceptions about what constitutes a secure password. 

For instance, a significant portion of the population mistakenly believes that replacing letters with numbers in passwords enhances security, when in reality, this practice does little to deter sophisticated cyberattacks. Dr. Junade Ali, a cybersecurity expert and IET fellow, highlighted the critical importance of strong passwords in today's digital landscape. Weak and predictable passwords serve as easy targets for cybercriminals, who employ various tactics, including credential stuffing, to gain unauthorized access to multiple accounts. Credential stuffing exploits the common practice of using the same password across multiple platforms, allowing hackers to compromise multiple accounts with minimal effort. 

To address these vulnerabilities, the IET has issued recommendations aimed at improving password security awareness and practices. Among these recommendations is the suggestion to create randomly generated, long, and unique passwords for each website or online service. Longer passwords are generally more resistant to brute-force attacks and provide an added layer of security against unauthorized access.  

Additionally, the use of a reputable password manager is encouraged to securely store and manage passwords across various platforms. Password managers not only simplify the process of generating and storing complex passwords but also provide alerts in the event of a data breach, allowing users to take immediate action to protect their accounts. 

By following these guidelines and adopting strong password security practices, individuals can significantly enhance their defenses against cyber threats and safeguard their sensitive information online. As cyberattacks continue to evolve in sophistication, proactive measures to strengthen password security are essential in mitigating the risk of unauthorized access and data breaches.
Read more »
Zero Trust
Active Directory Authentication Compromised Passwords Cyber Security Cybersecurity Least Privilege Multi-factor authentication Network Security Password Security Security Zero Trust

Implementing Zero Trust Principles in Your Active Directory

 

In the past, many organizations relied on secure perimeters to trust users and devices. However, this approach is no longer viable with the geographical dispersion of workers and the need for access from various locations and devices. End-users now require access to corporate systems and cloud applications outside traditional work boundaries, expecting seamless and fast authentication processes.

Consequently, numerous organizations have adopted a zero-trust model to verify users accessing their data, recognizing Active Directory as a critical component of network authentication. Ensuring the security of credentials stored within Active Directory is paramount, prompting the question of how zero trust principles can be applied to maintain security.

The zero trust model, characterized by the principle of "never trust, always verify," requires authentication and authorization of every user, device, and network component before accessing resources or data. Implementing this model involves constructing a multi-layered security framework encompassing various technologies, processes, and policies.

One fundamental step in securing Active Directory environments is enforcing the principle of least privilege, which restricts privileges to the minimum necessary for individuals or entities to perform their tasks. This mitigates the risks associated with privileged accounts, reducing the potential impact of security breaches or insider threats.

Implementing a zero trust model also entails granting elevated privileges, such as admin rights, only when necessary and for limited durations. Techniques for achieving "just-in-time" privilege escalation include the ESAE (Red Forest) model and temporary admin accounts.

Additionally, employing multi-factor authentication (MFA) for password resets enhances security by adding extra layers of authentication beyond passwords. This mitigates vulnerabilities in password reset processes, which are often targeted by hackers through social engineering tactics.

Moreover, scanning for compromised passwords is crucial for enhancing password security. Despite the implementation of zero trust principles, passwords remain vulnerable to various attacks such as phishing and data breaches. Continuous scanning for compromised passwords and promptly blocking them in Active Directory helps prevent unauthorized access to sensitive data and systems.

Specops Password Policy offers a solution for scanning and blocking compromised passwords, ensuring network protection from real-world password attacks. By integrating such services, organizations can enhance their password security measures and adapt them to their specific needs.

Solutions like Specops Software provide valuable tools and support through demos or free trials for organisations seeking to bolster their Active Directory security and password policies.
Read more »
Password Security
Cyber Security data security FIDO Passkeys Password Security

Passkeys: Your Safe Vault for Data Security


Passwords need to be fixed. They're difficult to remember and simple to guess, and protecting them from threat actors is a hassle. To take care of this issue, the Fast Identity Online Alliance (FIDO) created passkeys, a type of passwordless authentication tech. Passkeys take out the need to enter your email address or secret key into login handles around the web, making it harder for threat actors to take your credentials and get into your data.

What is a Passkey?

A passkey is a way of signing in to applications and sites without using a username and secret word mix. It's a couple of cryptography keys created by your gadget. Public and confidential keys squeeze to make a passkey that opens your record. Applications or sites store your unique public key. Your confidential key is just put away on your device, and after your device authenticates your identity, the two keys join to allow you to log in to your record.

Advantages of Passkeys

Passkeys have a lot of advantages; for instance, they can't be assumed or shared. Passkeys are safe from phishing attempts since they're unknown to the destinations they're made for, so they won't chip away at fake carbon copy locations. In particular, if your info is ever leaked, your passkeys can't be taken by hacking into an organization's server or data set, making the information taken out in such hacks less important to threat actors

The most effective method to Get Passkeys

Passkeys are one of a kind to each application or site and are put away in a secret phrase director's vault or your device’s keychain. Normally, the device or programming producing the passkeys uses a biometric verification instrument, like FaceID or TouchID, to confirm your identity. On the off chance that a secret hint is the passkey source, you can sign in to the application using areas of strength for a secret word rather than biometric verification.

Passkeys: Where can we use them?

Many websites, including Best Buy, eBay, Google, Kayak, and PayPal, support passkeys. 1Password, a password management company, has a community site where users may report websites that allow passkey logins. Some of the sites on that list still require a standard username and password for initial account creation and logins, such as Adobe.com, but you can set up a passkey to use for future logins by accessing the Settings menu.


Read more »
Privacy
Common Password Netflix Password Password Security Privacy

New Password-sharing Rule from Netflix Can Annoy Users


Netflix puts a stop to password-sharing

Netflix is bringing new rules to stop password sharing. It can be good news for Netflix and its investors hoping to increase revenue. But it surely is bad news for customers, their families, and their friends.  

So Netflix is using a unique multi-step process for bringing out this unpopular change. First, it warned everyone about it in advance. After that, it slowly started bringing out changes in secondary markets in Latin America before touching the Canada and U.S., where Netflix gets 44% of its revenue. 

When will the new password-sharing rule apply

The company said that new changes might come in more places in the first months of 2023. In its newest edition, it has given more information about how the password crackdown might actually help, but it hasn't provided enough info for customers to understand how it will affect them. Or when. 

These are smart tactics from a smart company. The reaction to this latest change on social media and media is not positive. By the time these new changes are implemented in the U.S., it will feel like old news. 

Users who do password sharing may actually create new accounts, or switch to other streaming platforms like Amazon Prime, Disney+, or Hulu instead. The new rule might also trigger some existing customers to cancel their subscriptions. However, it is unlikely to see large numbers of people quit Netflix because the outrage will be dampened by then. 

New password-sharing rules will annoy users

Even if you're not a user who shares their Netflix password, the new rules can annoy you at some point- if you're traveling or watching Netflix at a cafe or at someone else's home. Netflix said the user might be asked to verify their devices in certain situations when the user is away from home. The company assures that "Verifying a device is quick and easy." 

If the process sounds complex to you, you may be thinking "how many times will I have to go through this process." Unfortunately, there's no immediate answer to this as Netflix hasn't provided many details about that. It said that if a user is away from a Netflix household for a certain amount of time, you may be sometimes asked to verify their device. 

Password-sharing may ask for periodic verifications

The rules also say that the user may have to verify their device "periodically." But if you're at home, you won't have to do it as Netflix will recognize your device from your IP address and device ID. It can annoy users who are concerned about sharing their data. 

Is the crackdown on password sharing a stupid move, especially during a time when streaming platform competition is at an all-time high? Or was Netflix foolish in the past to have a rule that it knew people would break? Will the vast number of freeloaders really buy their own Netflix accounts, or will they simply ask their friends to share the 4-digit OTP? 

We will know the answers only when the new password-sharing rule is brought in.

Read more »
Security
Cyber Attacks Password Password Security Safety Security

What Are Rainbow Table Attacks and How to Safeguard Against Them?

 

We all use password protection, which is an effective access control method. It is likely to continue to be a crucial component of cybersecurity for years to come. On the contrary hand, cybercriminals use a variety of techniques to break passwords and gain access without authorization. This includes attacks using rainbow tables. How dangerous are rainbow table attacks, though, and what are they? What can you do, more importantly, to defend yourself from them?

Passwords are never stored in plain text on any platform or application that takes security seriously. In other words, if your password is "password123" (which it should not be for obvious reasons), it won't be stored as such and will instead be stored as a string of letters and numbers.

Password hashing is the process of transforming plain text into an apparently random string of characters. And algorithms, which are automated programs that make use of mathematical formulas to randomize and obfuscate plain text, are used to hash passwords. The most popular hashing formulas include MD5, SHA, Whirlpool, BCrypt, and PBKDF2.

The result of running the password "password123" through the MD5 algorithm is 482c811da5d5b4bc6d497ffa98491e38. The hashed version of "password123" is represented by this string of characters, which is how your password would be stored online.

Therefore, let's assume that you are logging into your email account. You enter the password after entering your username or email address. When you enter plain text into the email service, it automatically converts it to its hashed value and compares it to the hashed value it initially stored when you set up your password. You are authenticated and given access to your account if the values match.
Then, what would happen in a typical rainbow table attack? 

The threat actor would need to acquire password hashes first. They would either conduct a cyberattack or figure out a way to get around a company's security measures to accomplish this. Or they might spend money on a dark web dump of stolen hashes.

Rainbow Table Attacks and How They Work

The hashes would then be converted to plain text. Obviously, in a rainbow table attack, the attacker would use a rainbow table to accomplish this. Philippe Oechslin, an IT expert, invented rainbow tables based on the research of cryptologist and mathematician Martin Hellman. Rainbow tables, named after the colors that represent different functions within a table, reduce the time required to convert a hash to plain text, permitting the cybercriminal to carry out the attack more effectively.

In a typical brute force attack, the threat actor would have to decode each hashed password separately, calculate thousands of word combinations, and then compare them. This trial-and-error method still works and will probably always work, but it is time-consuming. An attacker would only need to run an obtained password hash through a database of hashes, then repeatedly split and reduce it until the plain text is revealed in a rainbow table attack.

This is how rainbow table attacks work in a nutshell. After cracking a password, a threat actor has a plethora of options for what to do next. They can target their victim in a variety of ways, gaining unauthorized access to a wide range of sensitive data, including information related to online baking and other similar activities.

How to Prevent Rainbow Table Attacks

Rainbow table attacks are less common than they once were, but they continue to pose a significant threat to organizations of all sizes, as well as individuals.  Here are five things you can do to prevent a rainbow table attack.

1. Set Up Complex Passwords
2. Use Multi-Factor Authentication
3. Diversify Your Passwords
4. Avoid Weak Hashing Algorithms

Password security is critical in preventing unauthorized access and various types of cyberattacks. However, it entails more than just coming up with a memorable phrase.

To improve your overall cybersecurity, you must first understand how password protection works before taking steps to safeguard your accounts. This may be overwhelming for some, but using dependable authentication methods and a password manager can make a significant difference.
Read more »
User Data
Cyber Security data security Password Authentication Password Security User Data

Why are Passwords Phasing Out in 2023? Here's Everything You Need to Know

 

You are not alone if you dislike using passwords. Passwords are inconvenient, forgettable, and often not the best security solution for most of us. The best part is that passwords are likely to become obsolete. Passwords will be phased out for a few websites by 2023. 

Why are passwords becoming outdated? Eventually, a password-free future will become a reality. IT managers and security professionals have long sought better password authentication alternatives. Here are some of the reasons why:


Weak Security

Passwords are vulnerable to dictionary attacks, brute-force attacks, and other standard password-hacking techniques. Even if you use good password practices and create super-strong passwords, you could be a victim of a social engineering attack.

You may forget your master password if you utilize a password manager. In such a situation, gaining access to saved passwords can be extremely difficult. The sale of stolen passwords on the dark web demonstrates that passwords are not a secure authentication method.

High Cost

Password creation, entry, and reset all take time. As a result, using passwords as an authentication method costs money. According to a Yubico-sponsored study, an average user spends 10.9 hours per year setting, entering, and resetting passwords. Users might be surprised to learn that password-related activities cost large corporations an average of $5.2 million per year.

Inadequate User Experience


Most of us dislike creating strong passwords, remembering them, and entering them each time we access a device or account. This is why the majority of users despise passwords. Worse, because people must remember passwords, we tend to create weak ones. Utilizing a password manager makes managing passwords easier. However, not everyone wants to use a password manager to manage their passwords.  

What Is Replacing Passwords?

If you're thinking about passwordless authentication for your company or just browsing the web and wondering how you will get into your accounts, the following options are becoming more popular.

Authentication with Multiple Factors

To verify your identity, multi-factor authentication (MFA) requires more than one factor or element. Passwords are frequently replaced with PINs or OTPs in the multi-factor authentication method. Other methods include biometrics, codes on authenticator apps, codes in emails, and so on.

With so many passwordless authentication tools available, you can easily implement MFA in your company. MFA can be secure, but you should be aware of MFA fatigue attacks to be on the safe side.

Behavioral recognition

Behavioral recognition takes into account multiple data points to generate a score that determines whether or not to trust a user to grant access to a device/resource. Keystroke dynamics, gait recognition, voice ID, mouse, and touch use characteristics, and location behavior are examples of data collected and analyzed in the behavioral authentication method.

Cards and Pins

Smart cards and pins provide a secure authentication method for creating, storing, and operating cryptographic keys. Smart cards, card readers, and authentication software programs are used in the smart card authentication method.

A smart card stores your public credentials as well as a personal identification number (PIN), which serves as the secret key for authentication. To gain access to a device/resource, you must insert your smart card into the card reader and enter your PIN.

The Advantages of Passwordless Authentication:

The following are the primary advantages of passwordless authentication:

Improved Cybersecurity

Passwordless authentication protects against password-related cyberattacks like brute force and dictionary attacks. Furthermore, passwordless authentication methods are frequently resistant to phishing. This is because users will not send any login credentials to a hacker via email or text. As a result, implementing passwordless authentication can help your company's cybersecurity.

Supply Chain Security Enhancement

Many supply chain attacks make use of stolen credentials and passwords. By removing passwords from your organization, you can guarantee that your digital assets are safe from supply chain attacks.

Cost-cutting measures

Passwordless logins can lower your company's operating costs over time because users don't have to spend time creating, entering, and managing passwords.

What's Next?


Passwordless logins are becoming more popular. Apple, Google, and Microsoft have joined forces to expand support for the FIDO Alliance and World Wide Web Consortium's passwordless sign-in standard.

Humans are the weakest link in cybersecurity. This explains why phishing and social engineering attacks are so effective. Password theft, password cracking, and credential theft can all be reduced by implementing passwordless authentication.

Read more »
Subscribe to: Posts (Atom)