1Password Mac app updated to support one-time passwords, in line with iOS app

1password

A couple of months after the 1Password iOS app was updated to support one-time passwords, the Mac app has been given the same feature, allowing the popular password manager to support two-factor authentication.

Version 5.3 of the pricey but powerful app also gains a number of other improvements, including improved credit card filling on a number of sites, among them Hilton, Cineplex, Drafthouse, Amazon, and PayPal. More custom fields have been added, and you can add your own fields in secure notes also …  Read more

New password-hacking tool for iCloud claims to evade Apple’s brute-force protections

Screen Shot 2015-01-02 at 14.13.12

 

Update: We are now receiving reports that the vulnerability has been patched. People trying to use the tool are apparently now being correctly locked out from repeated password attempts.

A new tool submitted to GitHub claims to be able to perform password dictionary attacks on any iCloud account, seemingly able to evade detection from Apple’s rate-limiting security that is supposed to prevent such dictionary attacks from happening. In September, Apple reported it had closed one such hole that allowed brute-force attacks to occur.

The sourcecode for the tool has been released onto GitHub. Upon inspection, the tool is really rather crude in its complexity. It simply tries every possible word in its 500-long word-list as the password for a given iCloud account email. This means whilst it will succeed “100%” at trying 500 times over, the tool is by no means guaranteed to succeed at cracking your password.

Read more

Dashlane password manager can now automatically change your password on 50 top US websites

dashlane

Password managers are a great way to have strong, unique passwords for each website you access – but vital as it is these days, there’s no denying that it’s a chore to change them. Dashlane, a Mac and Windows password manager app, aims to take away the pain by doing it for you automatically across 50 top US websites like Apple, Amazon, Dropbox, Facebook, PayPal, WordPress and Twitter.

Importantly, the app can even cope with sites that employ two-factor authentication to login or change a password, prompting you for the code when required …  Read more

App developer warns not to enter personal info using in-app browsers due to security issue

App developer Craig Hockenberry has published an article today titled “in-app browsers considered harmful” warning both devs and users of security issues related to apps that take advantage of the feature. “Would it surprise you to know that every one of those apps could eavesdrop on your typing? Even when it’s in a secure login screen with a password field?” Read more

One third of Americans have improved their online security since the iCloud hacks

image002

A YouGov survey of more than 1,000 American consumers commissioned by security company Tresorit found that just over a third of them have taken steps to beef-up their online security in response to the iCloud hacks.

The most common response was to change passwords for stronger ones, with 13 percent creating different passwords for each online service and 6 percent enabling two-step verification …  Read more

Vulnerability in Find My Phone service and weak passwords may explain alleged celebrity photo leaks

celebrity-hack

The Next Web is reporting that a vulnerability in the Find My Phone service may have allowed attackers to brute-force passwords in order to access the iCloud accounts of celebrities.

The vulnerability allegedly discovered in the Find my iPhone service appears to have allowed attackers to use this method to guess passwords repeatedly without any sort of lockout or alert to the target. Once the password has been eventually matched, the attacker can then use it to access other iCloud functions freely.

A tool to exploit the weakness was uploaded to Github, where it remained for two days before being shared on Hacker News …  Read more

Apple ID two-step verification feature rolls out to dozens of new countries

Apple this week has greatly expanded the availability of its Apple ID two-step verification, bringing the feature from 11 countries to 59 countries. Two-step verification for Apple IDs uses either iOS’s Find my iPhone application or SMS to provide login verification in addition to a password. The feature first rolled out for both Apple ID and iCloud IDs in early 2013 and it expanded to a few more countries later that year. Here are all the countries that support two-step verification (both the original countries and the new ones):

Read more

iOS 8 lets apps access Safari AutoFill credentials for quick & easy login

In iOS 8, Apple is making the process of logging into apps a much smoother experience by allowing native iOS apps to access usernames and passwords stored in Safari. The new feature, which works by letting iOS apps tap into Safari’s AutoFill & Passwords feature, will allow users to login to apps with a simple tap rather than having to type login info. Imagine your username and password are stored in Safari’s AutoFill for Facebook, for example. When launching the native Facebook iOS app, the feature will let users select from passwords stored in Safari to quickly login (as pictured above with Apple’s demo “Shiny” app). Read more

Apple’s two-step verification for Apple IDs arrives in Canada, France, Germany, Japan, Italy, & Spain

Apple-Two-Step-Verifiication

Back in May of last year, a long list of readers in countries around the world reported having access to Apple’s two-step verification security feature for their Apple ID. Shortly after the news broke, the feature disappeared in many countries signaling it had been launched prematurely. The only officially supported countries listed on Apple’s website included the “U.S., UK, Australia, Ireland, and New Zealand.” However, today the feature has appeared in several new countries including Canada, France, Germany, Japan, Italy, & Spain. Apple has also updated its support pages for two-step verification here and here to list the new countries. 

Read more

How-to: Deal with the infamous Apple ID

Screen Shot 2013-07-23 at 5.59.04 AM

This is the third how-to in our new weekly series: 

One of the most common issues I hear about is forgotten Apple IDs. But this is not as simple as it sounds. Figuring out Apple ID details can involve finding out what the Apple ID username is, which Apple ID they should be using (if they have multiple), resetting security questions and answers, and resetting passwords.

Most people, if they have an iPhone, iPod Touch or iPad, are using their Apple ID on their mobile device. From there, if you go into the Settings App, you will be able to see your Apple ID.

Always double-check to see if you have two different Apple IDs: one for iCloud and one for iTunes and App Stores.  Under Settings, press iCloud. Make note of the email address listed in the account. To go back to the main Settings page, press the Settings arrow in the upper left hand corner. Then scroll down until you see iTunes and App Stores and press it. You now have three different possible scenarios: Read more

Passware: Filevault can be brute force cracked during the span of a lunchbreak

FileVault has been included in Macs by Apple since the release of Panther many years ago. In Apple’s most recent release, OS X Lion, the company included FileVault that brought new ways of encryption. FileVault lets you encrypt your entire drive with a master password to protect key-chain passwords, files, and more. FileVault 2 uses a separate partition to store the FileVault login information.

Cnet pointed us to a new report from password recovery company PassWare, who claimed it can decrypt Apple’s FileVault 2 in under 40 minutes. Obviously, this is a big concern because FileVault contains so much of users’ information.

PassWare decrypts FileVault by going in through the system’s firewire connection and using live-memory analysis to extract the encryption key from the FileVault partition (so the machine must assumedly be running?). From there, a user can uncover keychain files and login passwords that can be used to unlock the whole HDD/SSD.

PassWare conveniently makes PassWare 11.3 available to do this, but you will have to throw down a lofty $995 to get the software. PassWare makes this software primarily available for law enforcement.

Read more