A well-known cryptographic attack could be used by hackers to log into Web applications used by millions of users, according to two security experts who plan to discuss the issue at an upcoming security conference. Researchers Nate Lawson and Taylor Nelson say they’ve discovered a basic security flaw that affects dozens of open-source software libraries — including those used by software that implements the OAuth and OpenID standards — that are used to check passwords and user names when people log into websites. OAuth and OpenID authentication are accepted by popular Web sites such as Twitter and Digg. Read the full article…
Instead of indicating password quality via coloured bars, the Windows crypto tool Thor’s Godly Privacy (TGP) informs users about the estimated time required for a successful brute-force attack on the chosen password. TGP calculates the time from the number of iterations a brute-force tool would need to arrive at the correct character combination. Read the full article…
Mozilla on Tuesday warned users that a password-stealing add-on slipped into Firefox’s extension gallery more than a month ago had been downloaded nearly 2,000 times before it was detected. The malicious “Mozilla Sniffer” add-on was yanked from Mozilla’s servers Monday, and added to the Firefox “blocklist,” a last-resort defense that uninstalls potentially-dangerous browser extensions from users’ machines. Read the full article…
Nowhere is that more true than the item at the heart of basic security: the humble password. Here, our best practices—something that’s not in the dictionary or written down, differs for every account, etc.—ignores basic research, which shows that humans have a limited capacity to associate random text with, well, just about anything. A new survey of institutional IT users provides a glimpse into just how bad the password situation is, with less than five percent of users managing to use best practices. Read the full article…
Brazilian police seized five hard drives when they raided the Rio apartment of banker Daniel Dantas as part of Operation Satyagraha in July 2008. But subsequent efforts to decrypt files held on the hardware using a variety of dictionary-based attacks failed even after the South Americans called in the assistance of the FBI.
…
The case is an illustration of how care in choosing secure (hard-to-guess) passwords and applying encryption techniques to avoid leaving file fragments that could aid code breakers are more important in maintaining security than the algorithm a code maker chooses. In other cases, law enforcement officials have defeated suspects’ use of encryption because of weak cryptographic trade craft or poor passwords, rather than inherent flaws in encryption packages.
Read the full article…
There has been a steady flow of academic studies into the insecurity of the username/password authentication system that suggest it’s doomed to failure: humans have a limited memory capacity for unique strings of random characters, which is precisely what most experts recommend as a secure password. A pair of academic researchers from Cambridge have analyzed the use of passwords by many prominent online sites, and found that many sites require passwords as a sort of security theater, requiring them in contexts that are superfluous and failing to do their part to secure the information on their end. The end result, they argue, is a tragedy of the commons, with the commons being the finite memory of the average user. Read the full article…
Hello everyone! This is my first blog post. This blog will contain any information about password management software and all security related topics. Thank you for visiting!
