Carbon Chemist

Tag: passwords

  • The US Could Finally Ban Inane Forced Password Changes

    The US Could Finally Ban Inane Forced Password Changes

    [ad_1]

    Researchers found a vulnerability in a Kia web portal that allowed them to track millions of cars, unlock doors, honk horns, and even start engines in seconds, just by reading the car’s license plate. The findings are the latest in a string of web bugs that have impacted dozen of carmakers. Meanwhile, a handful of Tesla Cybertrucks have been outfitted for war and are literally being-battle tested by Chechen forces fighting in Ukraine as part of Russia’s ongoing invasion.

    As Israel escalates its attacks on Lebanon, civilians on both sides of the conflict have been receiving ominous text messages—and authorities in each country are accusing the other of psychological warfare. The US government has increasingly condemned Russia-backed media outlets like RT for working closely with Russian intelligence—and many digital platforms have removed or banned their content. But they’re still influential and trusted alternative sources of information in many parts of the world.

    And there’s more. Each week, we round up the privacy and security news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

    A new draft of the US National Institute of Standards and Technology’s “Digital Identity Guidelines” finally takes steps to eliminate reviled password management practices that have been shown to do more harm than good. The recommendations, which will be mandatory for US federal government entities and serve as guidelines for everyone else, ban the practice of requiring users to periodically change their account passwords, often every 90 days.

    The policy of regularly changing passwords evolved out of a desire to ensure that people weren’t choosing easily guessable or reused passwords; but in practice, it causes people to choose simple or formulaic passwords so they will be easier to keep track of. The new recommendations also ban “composition rules,” like requiring a certain number or mix of capital letters, numbers, and punctuation marks in each password. NIST writes in the draft that the goal of the Digital Identity Guidelines is to provide “foundational risk management processes and requirements that enable the implementation of secure, private, equitable, and accessible identity systems.”

    The US Department of Justice unsealed charges on Friday against three Iranian men who allegedly compromised Donald Trump’s presidential campaign and leaked stolen data to media outlets. Microsoft and Google warned last month that an Iranian state-sponsored hacking group known as APT42 had targeted both the Joe Biden and Donald Trump presidential campaigns, and successfully breached the Trump campaign. The DOJ claims the hackers compromised a dozen people as part of its operation, including a journalist, a human rights advocate, and several former US officials. More broadly, the US government has said in recent weeks that Iran is attempting to interfere in the 2024 election.

    “The defendants’ own words made clear that they were attempting to undermine former President Trump’s campaign in advance of the 2024 U.S. presidential election,” Attorney General Merrick Garland said at a press conference on Friday. “We know that Iran is continuing with its brazen efforts to stoke discord, erode confidence in the US electoral process, and advance its malign activities.”

    The Irish Data Protection Commission fined Meta €91 million, or roughly $101 million, on Friday for a password storage lapse in 2019 that violated the European Union’s General Data Protection Regulation. Following a report by Krebs on Security, the company acknowledged in March 2019 that a bug in its password management systems had caused hundreds of millions of Facebook, Facebook Lite, and Instagram passwords to be stored without protection in plaintext in an internal platform. Ireland’s privacy watchdog launched its investigation into the incident in April 2019.

    “It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data,” Irish DPC deputy commissioner Graham Doyle said in a statement. “It must be borne in mind that the passwords, the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts.”

    The digital anonymity nonprofit the Tor Project is merging with privacy- and anonymity-focused Linux-based operating system Tails. Pavel Zoneff, the Tor Project’s communications director, wrote in a blog post on Thursday that the move will facilitate collaboration and reduce costs, while expanding both groups’ reach. “Tor and Tails provide essential tools to help people around the world stay safe online,” he wrote. “By joining forces, these two privacy advocates will pool their resources to focus on what matters most: ensuring that activists, journalists, other at-risk and everyday users will have access to improved digital security tools.”

    [ad_2]

    Source link

  • Apple’s New Passwords App May Solve Your Login Nightmares

    Apple’s New Passwords App May Solve Your Login Nightmares

    [ad_1]

    Apple’s latest iPhone software update, iOS 18, arrives today and includes a new app: Passwords. For the first time, Apple is taking your phone’s ability to save login details and putting them in a standalone app. It could help improve millions of people’s terrible passwords.

    After years of being told you should create unique, strong passwords for every website and app you use, you probably fall into one of two camps: people that are fully signed up to the password manager life, or those still using “123456” for every other website.

    Apple’s new encrypted Passwords app is automatically included with iOS 18, and is a public-facing evolution of its Keychain and password-saving capabilities. The Keychain, which has existed for more than a decade, no longer has as prominent a home in the iPhone’s settings, and details previously saved there are being moved to the new app.

    The launch of the password manager app, which will also be available on macOS Sequoia and iPadOS 18, may help improve people’s relationships with their passwords but also could, to varying degrees, challenge existing password managers.

    “This move makes the app more visible to lay users and informs them about this secure method to store and manage passwords,” says Talal Haj Bakry and Tommy Mysk from security company Mysk. “You have a default password manager preinstalled on your device [that] provides end-to-end encryption when syncing data across devices.”

    New Passwords

    The Passwords app has a pretty barebones design. Six different tiles are presented when you open the app on an iPhone: All, Passkeys, Codes, Wi-Fi, Security, and Deleted. These are essentially the main functions of the app, allowing you to save each type of data within their relevant sections. The security section includes check-ups allowing weak and exposed passwords to be identified.

    “This will definitely boost the adoption of this preinstalled app and bolster user security,” Bakry and Mysk say. They add that it presents the saved data “in a more organized way than the Settings app.”

    Apple says the Passwords app uses end-to-end encryption to save your details, meaning nobody, not even Apple, knows what you have saved. Within the app, you can search for login details to your entries and set up groups to share passwords with other people.

    Your saved login details are synced across Apple devices using iCloud, meaning the encrypted data is shared with Apple’s cloud servers and available on all of your Apple devices. Within Apple’s settings, you can turn off syncing passwords on a specific device. The app is locked using Face ID.

    When using the Passwords app, any details you have previously saved in Keychain or AutoFill will be moved to the new location. This includes if you have used the Sign in with Apple login system on any websites or apps. It is unclear why Apple has decided to spin its Keychain system into a fully fledged password manager now, although the company has been building out the individual features over a number of years. (Apple has not responded to WIRED’s request for comment at the time of writing.)

    [ad_2]

    Source link

  • The US Government Is Asking Big Tech to Promise Better Cybersecurity

    The US Government Is Asking Big Tech to Promise Better Cybersecurity

    [ad_1]

    The pledge offers examples of how companies can meet the goals, although it notes that companies “have the discretion to decide how best” to do so. The document also emphasizes the importance of companies publicly demonstrating “measurable progress” on their goals, as well as documenting their techniques “​​so that others can learn.”

    CISA developed the pledge in consultation with tech companies, seeking to understand what would be feasible for them while also meeting the agency’s goals, according to Goldstein. That meant making sure the commitments were feasible for companies of all sizes, not just Silicon Valley giants.

    The agency originally tried using its Joint Cyber Defense Collaborative to prod companies into signing the pledge, according to the tech industry official, but that backfired when companies questioned the use of an operational cyberdefense collaboration group for “a policy and legal issue,” the industry official says.

    “Industry expressed frustration about trying to use the JCDC to obtain pledges,” the official says, and CISA “wisely pulled back on that effort.”

    CISA then held discussions with companies through the Information Technology Sector Coordinating Council and tweaked the pledge based on their feedback. Originally, the pledge contained more than seven goals, and CISA wanted signatories to commit to “firm metrics” for showing progress, according to the industry official. In the end, this person says, CISA removed several goals and “broadened the language” about measuring progress.

    John Miller, senior vice president of policy, trust, data, and technology at the Information Technology Innovation Council, a major industry trade group, says that change was smart, because concrete progress metrics—like the number of users using multi-factor authentication—could be “easily misconstrued.”

    Goldstein says the number of pledge signatories is “exceeding my expectations about where we’d be” at this point. The industry official says they’re not aware of any company that has definitively refused to sign the pledge, in part because vendors want to “keep open the option of signing on” after CISA’s launch event at RSA. “Everyone’s in a kind of wait-and-see mode.”

    Legal liability is a top concern for potential signatory companies. “If there ends up being, inevitably, some type of security incident,” Miller says, “anything [a] company has said publicly could be used in lawsuits.”

    That said, Miller predicts that some global companies facing strict new European security requirements will sign the US pledge to “get that credit” for something they already have to do.

    CISA’s Secure by Design campaign is the centerpiece of the Biden administration’s ambitious plan to shift the burden of cybersecurity from users to vendors, a core theme of the administration’s National Cybersecurity Strategy. The push for corporate cyber responsibility follows years of disruptive supply-chain attacks on critical software makers like Microsoft, SolarWinds, Kaseya, and Change Healthcare, as well as a mounting list of widespread software vulnerabilities that have powered ransomware attacks on schools, hospitals, and other essential services. White House officials say the pattern of costly and often preventable breaches demonstrates the need for increased corporate accountability.

    [ad_2]

    Source link

  • 9 Best Password Managers (2024): Features, Pricing, and Tips

    9 Best Password Managers (2024): Features, Pricing, and Tips

    [ad_1]

    I still find BitWarden to be a more economical choice for most people, but there are some very nice features in 1Password that you won’t find elsewhere. If you frequently travel across national borders, you’ll appreciate my favorite 1Password feature: Travel Mode. This mode lets you delete any sensitive data from your devices before you travel and then restore it with a click after you’ve crossed a border. This prevents anyone, including law enforcement at international borders, from accessing your complete password vault.

    It’s worth noting that 1Password uses a combination of two keys to unlock your account, your password and an additional generated secret key. While that does add a layer of security that will protect against weak passwords, it also means part of what you need to unlock your passwords is something you did not create. 1Password does make sure you have this key as an item in your “emergency kit,” but I still prefer pairing a self-generated password with a Yubikey.

    In addition to being a password manager, 1Password can act as an authentication app like Google Authenticator, and for added security it creates a secret key to the encryption key it uses, meaning no one can decrypt your passwords without that key. The downside is that if you lose this key, no one, not even 1Password, can decrypt your passwords. (This can be mitigated by setting up a custom group that has the “Recover Accounts” permission.)

    1Password also offers tight integration wth other mobile apps. Rather than needing to copy and paste passwords from your password manager to other apps (which puts your password on the clipboard at least for a moment), 1Password is integrated with many apps and can autofill. This is more noticeable on iOS, where inter-app communication is more restricted.

    After signing up, download the app for Windows, macOS, Android, iOS, Chrome OS, or Linux. There are also browser extensions for Firefox, Chrome, Brave, and Edge.

    Best Full-Featured Manager

    Screenshot of Dashlane app on desktop

    Courtesy of Dashlane

    I first encountered Dashlane several years ago. Back then, it was the same as its competitors, with no stand-out attributes. However, updates over time have added several helpful features. One of the best is Site Breach Alerts, something other services have since added as well. Dashlane actively monitors the darker corners of the web, looking for leaked or stolen personal data, and it alerts you if your information has been compromised.

    Setup and migration from another password manager is simple, and you’ll use a secret key to encrypt your passwords, much like BitWarden’s setup process. In practice, Dashlane is very similar to the others on this list. The company doesn’t offer a desktop app, but I primarily use passwords in the web browser anyway, and Dashlane has add-ons for all the major browsers, along with iOS and Android apps. If a desktop app is important to you, that omission is something to be aware of. Dashlane offers a 30-day free trial, so you can test it out before committing.

    After signing up, download the app for Android and iOS, and grab the browser extensions for Firefox, Chrome, and Edge.

    Best DIY Options (Self-Hosted)

    Want to retain more control over your data in the cloud? Sync your password vault yourself. The services below do not store any of your data on their servers. This means attackers have nothing to target. Instead of storing your passwords, these services use a local vault to store your data, and then you can sync that vault using a file-syncing service like Dropbox; NextCloud; or Edward Snowden’s recommended service, SpiderOak. There are two services to keep track of in this scenario, making it a little more complex. But if you’re already using a file-syncing file service, this can be a good option.

    Screenshot of Enpass password manager app on desktop

    Courtesy of Enpass

    Enpass does not store any data on its servers. Syncing is handled through third-party services. Enpass doesn’t do the syncing, but it does offer apps on every platform. That means once you have syncing set up, it works just like any other service. And you don’t have to worry about Enpass being hacked, because your data isn’t on its servers. Enpass supports syncing through Dropbox, Google Drive, OneDrive, iCloud, Box, Nextcloud, or any service using WebDAV. Alas, SpiderOak is not currently supported. You can also synchronize your data over a local WLAN or Wi-Fi network.

    All of the features you expect in a password manager are here, including auto-generating passwords, breach-monitoring, biometric login (for devices that support it), auto-filling passwords, and options to store other types of data, like credit cards and identification data. There’s also a password audit feature to highlight any weak or duplicate passwords in your vault. One extra I particularly like is the ability to tag passwords for easier searching. Enpass also makes setting up the syncing through the service of your choice very easy. Enpass recently added support for passkeys.

    [ad_2]

    Source link

  • I Stopped Using Passwords. It’s Great—and a Total Mess

    I Stopped Using Passwords. It’s Great—and a Total Mess

    [ad_1]

    Using passkeys likely means having a different mindset from how you think about passwords. There’s nothing to remember when you log in, and you have to use something else to store your passkeys. Passkeys can be stored in Apple’s, Google’s or Microsoft’s password manager systems; your browser; a dedicated password manager; or on a physical security key. I created a Google passkey on one USB key, and all I need to do to sign in is, essentially, plug it in. (All of the devices I use professionally and personally are Apple, meaning I haven’t tested passkeys between my iPhone and a Windows laptop, for instance.)

    “The technology is mature, the front ends are still nascent,” Shikiar from the FIDO Alliance says. Over the past year, the FIDO alliance has also been working on user experience guidelines, he says, making it more straightforward for people to sign up and use passkeys across systems. Gary Orenstein, the chief customer officer of password manager Bitwarden, says there are multiple groups involved in the creation and rollout of passkeys, so transitioning to a world where everything is seamless takes coordination. “The standards are at one level, user expectations are at a different level,” he says. “The vendor implementations are at a third level, and they’re merging, but it takes time.”

    Being able to save a passkey on essentially any device makes them more useful and means you aren’t locked in to Google’s, Microsoft’s, or Apple’s ecosystems. However, where you save a passkey is going to take some remembering. When setting up one passkey, I was asked by my password manager, browser, and the device operating system whether I wanted to save my passkey with each of them. Picking one spot and sticking to it is probably the best option.

    Most of my work is done on my laptop—and it’s rare that I download new apps or log out of apps on my phone—so I have been saving the majority of my passkeys in Bitwarden, which costs me $10 a year for a premium account alongside my hundreds of passwords. It works like this: When logging in to my Amazon account, I enter my username, and then Bitwarden’s browser extension pops up asking whether I want to log in with my passkey for Amazon. I press confirm, and I am logged in. It also offers the option to use my device or a hardware key to log in, and if I select one of these options, it looks for passkeys stored on my laptop.

    However, as mentioned, Bitwarden doesn’t currently offer passkeys on mobile, meaning that to get the mobile-first Coinbase integration to work, I ended up saving that passkey to iCloud’s Keychain instead. Orenstein, from Bitwarden, says that making passkeys work on mobile is a priority for Bitwarden and more support should be rolling out in the coming months. The company has seen a “fantastic” adoption of passkeys so far, he says, but acknowledges people will have to get used to the change. “You still need an awareness about where it is,” Orenstein says. “I think, over time, as an industry, we can reduce the need for that awareness, hopefully to zero.”

    The Password’s Long Goodbye

    You may not have set up any passkeys yet, but it’s only a matter of time. Tech companies are starting to make passkeys the default, and more businesses are adopting them. In the past couple of weeks, X has started allowing some people to use passkeys, and WhatsApp is bringing them to iPhones and iPads after previously rolling out passkey support for Android devices.

    Leona Lassak, Blase Ur, and Maximilian Golla, three academics from Germany and the US who have researched the adoption of passkeys, say that businesses they’ve interviewed are generally positive about the adoption of passkeys and the extra security it will bring. However, it will likely take some time until the majority of websites, apps, and companies are using passkeys for everything. “I don’t think we will have a big bang in the next few months,” Lassak says. “It’s going to be a slow process, which on the way will then also catch other and smaller entities.”

    As a result, passwords will still be around for a while. It’ll be a long time until I have converted my remaining 320-ish accounts to be using passkeys. And for the time being at least, those accounts where I do have passkeys will still have existing passwords that I can fall back on. “Passkeys is having fewer passwords, but not necessarily no passwords,” says Golla.

    Experts recommend setting up a few passkeys whenever you come across them on your online accounts, rather than necessarily trying to change them all at once. There are guides to what websites are using passkeys already, and Google, Microsoft, and Apple all have straightforward explanations on how to create passkeys. And there are plenty of benefits to getting started now.

    “They are a true password replacement that eliminate the threat of phishing, eliminate the hassle of password resets, and eliminate the liability that service providers have when they’re managing thousands, tens of thousands, or tens of millions, or billions of passwords,” Shikiar says. “It really is an entirely new way of doing user authentication.”

    [ad_2]

    Source link

  • The Hulu and Disney+ Password Crackdown Is Coming. Here’s What You Need to Know

    The Hulu and Disney+ Password Crackdown Is Coming. Here’s What You Need to Know

    [ad_1]

    Hulu and Disney+ subscribers have until March 14 to stop sharing their login information with people outside of their household. Disney-owned streaming services are the next to adopt the password-crackdown strategy that has helped Netflix add millions of subscribers.

    An email sent from “The Hulu Team” to subscribers this week and viewed by Ars Technica tells customers that Hulu is “adding limitations on sharing your account outside of your household.”

    Hulu’s subscriber agreement, updated on January 25, now states that users may not share their subscription outside of their household, with household being defined as the “collection of devices associated with your primary personal residence that are used by the individuals who reside therein.”

    The updated terms also note that Hulu might scrutinize user accounts to ensure that the accounts aren’t being used on devices located outside of the subscriber’s residence:

    We may, in our sole discretion, analyze the use of your account to determine compliance with this Agreement. If we determine, in our sole discretion, that you have violated this Agreement, we may limit or terminate access to the Service and/or take any other steps as permitted by this Agreement (including those set forth in Section 6 of this Agreement).

    Section 6 of Hulu’s subscriber agreement says Hulu can “restrict, suspend, or terminate” access without notice.

    Hulu didn’t respond to a request for comment on how exactly it will “analyze the use” of accounts. But Netflix, which started its password crackdown in March 2022 and brought it to the US in May 2023, says it uses “information such as IP addresses, device IDs, and account activity to determine whether a device signed in to your account is part of your Netflix Household” and doesn’t collect GPS data from devices.

    According to the email sent to Hulu subscribers, the policy will apply immediately to people subscribing to Hulu from now on.

    The updated language in Hulu’s subscriber agreement matches what’s written in the Disney+/ESPN+ subscriber agreement, which was also updated on January 25. Disney+’s password crackdown first started in November in Canada.

    A Disney spokesperson confirmed to Ars Technica that Disney+ subscribers have until March 14 to comply. The rep also said that notifications were sent to Disney+’s US subscribers yesterday; although, it’s possible that some subscribers didn’t receive an email alert, as is the case with a subscriber in my household.

    The representative didn’t respond to a question asking how Disney+ will “analyze” user accounts to identify account sharing.

    Push for Profits

    Disney CEO Bob Iger first hinted at a Disney streaming-password crackdown in August during an earnings call. He highlighted a “significant” amount of password sharing among Disney-owned streaming services and said Disney had “the technical capability to monitor much of this.” The executive hopes a password crackdown will help drive subscribers and push profits to Netflix-like status. Disney is aiming to make its overall streaming services business profitable by the end of 2024.

    In November, it was reported that Disney+ had lost $11 billion since launching in November 2019. The streaming service has sought to grow revenue by increasing prices and encouraging users to join its subscription tier with commercials, which is said to bring streaming services higher average revenue per user than non-ad plans.

    [ad_2]

    Source link