Skip to main content

Password

See All Stories

1Password Mac app updated to support one-time passwords, in line with iOS app

Site default logo image

1password

A couple of months after the 1Password iOS app was updated to support one-time passwords, the Mac app has been given the same feature, allowing the popular password manager to support two-factor authentication.

Version 5.3 of the pricey but powerful app also gains a number of other improvements, including improved credit card filling on a number of sites, among them Hilton, Cineplex, Drafthouse, Amazon, and PayPal. More custom fields have been added, and you can add your own fields in secure notes also … 
Expand
Expanding
Close

Site default logo image

Here are the worst passwords of 2014 (and ‘password’ still isn’t the worst)

hacked-passwords

SplashData, the company behind corporate password manager SplashID, has just compiled the latest top-25 ‘most hacked passwords’ rankings. As last year, the most-hacked password is 123456, with ‘password’ only managing second place.

But perhaps naive Internet users have been paying attention. It seems some of those using 123456 have come up with a cunning plan to defeat the hackers: dropping the final digit. 12345 has raced 17 places up the charts into third place. Old favorite ‘letmein’ has climbed one place to #13.

New additions this year include baseball, football, batman and access (cunning). You can see the full top-25 below. If you’re not already using a password manager to enable strong, unique passwords for each website, check-out our how-to guide.

1. 123456
2. password
3. 12345
4. 12345678
5. qwerty
6. 123456789
7. 1234
8. baseball
9. dragon
10. football
11. 1234567
12. monkey
13. letmein
14. abc123
15. 111111
16. mustang
17. access
18. shadow
19. master
20. michael
21. superman
22. 696969
23. 123123
24. batman
25. trustno1

New password-hacking tool for iCloud claims to evade Apple’s brute-force protections

Site default logo image

Screen Shot 2015-01-02 at 14.13.12

 

Update: We are now receiving reports that the vulnerability has been patched. People trying to use the tool are apparently now being correctly locked out from repeated password attempts.

A new tool submitted to GitHub claims to be able to perform password dictionary attacks on any iCloud account, seemingly able to evade detection from Apple’s rate-limiting security that is supposed to prevent such dictionary attacks from happening. In September, Apple reported it had closed one such hole that allowed brute-force attacks to occur.

The sourcecode for the tool has been released onto GitHub. Upon inspection, the tool is really rather crude in its complexity. It simply tries every possible word in its 500-long word-list as the password for a given iCloud account email. This means whilst it will succeed “100%” at trying 500 times over, the tool is by no means guaranteed to succeed at cracking your password.


Expand
Expanding
Close

Site default logo image

LastPass matches Dashlane with automated password changing – but it doesn’t yet fully compete

lastpass

After password manager Dashlane grabbed the limelight yesterday with an automated password changer for 50 top US websites, LastPass has hit back with its own version of the same feature. However, while LastPass supports more sites, it falls short of the Dashlane offering by forcing you to change one password at a time, rather than doing all supported sites en-mass, and not yet supporting sites that employ two-factor authentication.

We’re excited to announce that the Auto-Password Change feature we released to our Pre-Build Team last week is now available for all users in beta. LastPass can now change passwords for you, automatically. We’re releasing this feature for free to all our users, on Chrome, Safari, and Firefox (starting with version 3.1.70) […]

Auto-Password Change already supports 75 of the most popular websites, including Facebook, Twitter, Amazon, Pinterest, Home Depot, and Dropbox.

LastPass notes that it does this while maintaining its secure approach of ensuring that only encrypted versions of the password are ever stored on the LastPass server, with the apps doing the decrypting on your device.

You can download the beta from the LastPass download site. If you’re not yet using a password manager, check out out our how-to guide.

Dashlane password manager can now automatically change your password on 50 top US websites

Site default logo image

dashlane

Password managers are a great way to have strong, unique passwords for each website you access – but vital as it is these days, there’s no denying that it’s a chore to change them. Dashlane, a Mac and Windows password manager app, aims to take away the pain by doing it for you automatically across 50 top US websites like Apple, Amazon, Dropbox, Facebook, PayPal, WordPress and Twitter.

Importantly, the app can even cope with sites that employ two-factor authentication to login or change a password, prompting you for the code when required … 
Expand
Expanding
Close

App developer warns not to enter personal info using in-app browsers due to security issue

Site default logo image

[youtube=https://www.youtube.com/watch?v=2Bl-pJBHYuc]

App developer Craig Hockenberry has published an article today titled “in-app browsers considered harmful” warning both devs and users of security issues related to apps that take advantage of the feature. “Would it surprise you to know that every one of those apps could eavesdrop on your typing? Even when it’s in a secure login screen with a password field?”
Expand
Expanding
Close

One third of Americans have improved their online security since the iCloud hacks

Site default logo image

image002

A YouGov survey of more than 1,000 American consumers commissioned by security company Tresorit found that just over a third of them have taken steps to beef-up their online security in response to the iCloud hacks.

The most common response was to change passwords for stronger ones, with 13 percent creating different passwords for each online service and 6 percent enabling two-step verification … 
Expand
Expanding
Close

Vulnerability in Find My Phone service and weak passwords may explain alleged celebrity photo leaks

Site default logo image

celebrity-hack

The Next Web is reporting that a vulnerability in the Find My Phone service may have allowed attackers to brute-force passwords in order to access the iCloud accounts of celebrities.

The vulnerability allegedly discovered in the Find my iPhone service appears to have allowed attackers to use this method to guess passwords repeatedly without any sort of lockout or alert to the target. Once the password has been eventually matched, the attacker can then use it to access other iCloud functions freely.

A tool to exploit the weakness was uploaded to Github, where it remained for two days before being shared on Hacker News … 
Expand
Expanding
Close

Apple ID two-step verification feature rolls out to dozens of new countries

Site default logo image

Apple this week has greatly expanded the availability of its Apple ID two-step verification, bringing the feature from 11 countries to 59 countries. Two-step verification for Apple IDs uses either iOS’s Find my iPhone application or SMS to provide login verification in addition to a password. The feature first rolled out for both Apple ID and iCloud IDs in early 2013 and it expanded to a few more countries later that year. Here are all the countries that support two-step verification (both the original countries and the new ones):


Expand
Expanding
Close

iOS 8 lets apps access Safari AutoFill credentials for quick & easy login

Site default logo image

In iOS 8, Apple is making the process of logging into apps a much smoother experience by allowing native iOS apps to access usernames and passwords stored in Safari. The new feature, which works by letting iOS apps tap into Safari’s AutoFill & Passwords feature, will allow users to login to apps with a simple tap rather than having to type login info. Imagine your username and password are stored in Safari’s AutoFill for Facebook, for example. When launching the native Facebook iOS app, the feature will let users select from passwords stored in Safari to quickly login (as pictured above with Apple’s demo “Shiny” app).
Expand
Expanding
Close

Site default logo image

1Password iOS app gets automatic backups accessible in iTunes, item printing, more

1password-app-icon-01Popular password manager app 1Password received a nice update today for iPhone and iPad that introduces a few notable new features and the return of one previously removed. Version 4.5.2 of the app now includes automatic backups of data that users can access via iTunes. It also sees the return of item printing, bug fixes and more.

The app also makes some overall performance improvements. Developer AgileBits notes “Sync is now much sync-ier” and “That pesky flickering while viewing an item’s details is no more.”

Version 4.5.2 of the 1Password app for iPhone and iPad is available on the App Store now.

What’s New in 4.5.2

◆ 1Password now keeps automatic backups of your data that are accessible via iTunes
◆ Item printing is back, baby!
◆ Sync is now much sync-ier
◆ That pesky flickering while viewing an item’s details is no more
◆ The report of bug deaths is *not* an exaggeration

Site default logo image

1Password for Mac updated with improvements to 1Password Mini, better URL matching, and more

Screen Shot 2014-04-21 at 8.32.32 PM

1Password 4 for Mac was updated today to version 4.3 with a bevy of enhancements and new features. Unlike today’s update to the iOS version of the app, the OS X-based update is not an overhaul of the application, but instead focuses on refining the software’s feature set.

This update features big updates to the 1Password Mini plugin, which now allows you to edit your saved items and generated passwords, recognizes a number of new keyboard shortcuts, and supports “fuzzy search” for saved items; the auto-save system, which now prompts you to update your existing password if you create a new password for a saved website; and a lot more.


Expand
Expanding
Close

Apple’s two-step verification for Apple IDs arrives in Canada, France, Germany, Japan, Italy, & Spain

Site default logo image

Apple-Two-Step-Verifiication

Back in May of last year, a long list of readers in countries around the world reported having access to Apple’s two-step verification security feature for their Apple ID. Shortly after the news broke, the feature disappeared in many countries signaling it had been launched prematurely. The only officially supported countries listed on Apple’s website included the “U.S., UK, Australia, Ireland, and New Zealand.” However, today the feature has appeared in several new countries including Canada, France, Germany, Japan, Italy, & Spain. Apple has also updated its support pages for two-step verification here and here to list the new countries. 


Expand
Expanding
Close

Site default logo image

The worst password of all is no longer ‘password’ according to hacked accounts chart

passwords

You might have thought that it would be hard to come up with a worse password than ‘password,’ but according to a chart compiled by SplashData from hacked accounts, it has been edged out by ‘123456’.

The far more secure ‘12345678’ (33 percent more secure!) retains its position as number three, while a new entry in sixth place goes as far as ‘123456789’. Sadly, ‘letmein’, a password I always felt deserving of classic status, dropped seven places to achieve a mediocre ranking of 14.

Apple introduced iCloud Keychain as part of Mavericks and iOS 7.0.3, and if you’re not already using it, you can read our how-to guide. If you’re using older versions of OS X or iOS, we also ran a how-to guide on using a password manager to have unique, secure passwords for each website.

Via re/code

Starbucks quickly adds additional ‘safeguards’ to its app in response to public furore over application security

Screen Shot 2014-01-17 at 10.56.13

Starbucks has quickly pushed a bug fix update for its app to the store to help address the security flaws found in its iPhone application earlier this week. Researchers originally found that the app stored passwords in plain text. Earlier, Starbucks’ CIO promised in an open letter that an update would follow in response to these findings.


Expand
Expanding
Close

PayPal opens ‘digital gift’ store, debuts with iTunes gift cards

Screen Shot 2013-12-03 at 12.13.32

PayPal has announced a new section dedicated to online gift card purchases. The “Digital Gifts” store has opened with what PayPal describes as a “marquee merchant”, namely iTunes. Although buying iTunes gift cards with PayPal has been possible for a long time thanks to eBay, this is the first time PayPal is selling the cards directly through themselves.

Naturally, you can pay for the cards with your PayPal account credit. The company poses the store as a really simple way to give a meaningful gift to someone for the holidays.

Buying a digital gift from PayPal is as easy as one-two-three: select a gift and denomination, enter your PayPal ID and Password, send the gift to a loved one or redeem it on the spot. Simple, convenient and secure. To help open the digital doors we have just started offering iTunes codes.

The store is currently offering iTunes cards in $15, $25, $50 and $100 variants. Gifts can be bought for yourself or gifted to someone else via email. Whilst PayPal is not offering the best deal by any measure (offering gift cards at face value), the service is quick and convenient.

Amusingly, despite being a digital good, the store is reporting that $15 and $25 cards are already “sold out”.

How-to: Deal with the infamous Apple ID

Site default logo image

Screen Shot 2013-07-23 at 5.59.04 AM

This is the third how-to in our new weekly series: 

One of the most common issues I hear about is forgotten Apple IDs. But this is not as simple as it sounds. Figuring out Apple ID details can involve finding out what the Apple ID username is, which Apple ID they should be using (if they have multiple), resetting security questions and answers, and resetting passwords.

Most people, if they have an iPhone, iPod Touch or iPad, are using their Apple ID on their mobile device. From there, if you go into the Settings App, you will be able to see your Apple ID.

Always double-check to see if you have two different Apple IDs: one for iCloud and one for iTunes and App Stores.  Under Settings, press iCloud. Make note of the email address listed in the account. To go back to the main Settings page, press the Settings arrow in the upper left hand corner. Then scroll down until you see iTunes and App Stores and press it. You now have three different possible scenarios:
Expand
Expanding
Close

Site default logo image

Apple acknowledges iPhone Passcode security vulnerability and plans fix in future software update

We told you about an iOS 6.1 lock screen bug earlier today that—although not extremely easy to accomplish—allows users to bypass the device’s passcode and view at least the phone application. Apple has confirmed now that it is working on a fix, and the company noted in a comment to AllThingsD that it “takes user security very seriously.”

Reached for comment, Apple said it is hard at work on a fix. “Apple takes user security very seriously” spokeswoman Trudy Muller told AllThingsD. “We are aware of this issue, and will deliver a fix in a future software update.”

Apple confirmed in a support document this morning that it is working to deliver a fix to the “continuous loop” Exchange server bug on iOS 6.1 devices, as well.

Site default logo image

New Version 4 of 1Password Universal starts hitting International App Stores

[slideshow]

The popular 1Password looks to have received a total revamp in the new version 4. The app has hit the New Zealand and Australian App Stores and is working its way through the Eastern Hemisphere. We may or may not have a thorough review of the app coming when it hits ‘Murica.

All of the particulars below:


Expand
Expanding
Close

Site default logo image

Bug in Mac OS X 10.7.3 exposes passwords in plain text

Security researcher David Emery (via ZDNET) claimed to have discovered a bug in Mac OS X 10.7.3 that stores login passwords in plain text. In a recent newsletter, he claimed someone—we are guessing an Apple programmer— mistakenly “turned on a debug switch (DEBUGLOG)” that stores the passwords in a system-wide debug log file. Emery explained folders encrypted with Apple’s “legacy” Filevault prior to upgrading to Lion are at risk:

…anyone who can read files accessible to group admin can discover the login passwords of any users of legacy (pre LION) Filevault home directories who have logged in since the upgrade to 10.7.3 in early February 2012… This is worse than it seems, since the log in question can also be read by booting the machine into firewire disk mode and reading it by opening the drive as a disk or by booting the new-with-LION recovery partition and using the available superuser shell to mount the main file system partition and read the file. This would allow someone to break into encrypted partitions on machines they did not have any idea of any login passwords for.

It would also allow them to access any content those usernames and passwords are meant to protect. Fortunately, the file with stored passwords is only kept for “several weeks” by default. However, it extends to Time Machine backups, because the log file is also backed-up in plain text. Emery said the best method to protect yourself until Apple fixes the issue is to simply use FileVault 2:
Expand
Expanding
Close

Passware: Filevault can be brute force cracked during the span of a lunchbreak

Site default logo image

FileVault has been included in Macs by Apple since the release of Panther many years ago. In Apple’s most recent release, OS X Lion, the company included FileVault that brought new ways of encryption. FileVault lets you encrypt your entire drive with a master password to protect key-chain passwords, files, and more. FileVault 2 uses a separate partition to store the FileVault login information.

Cnet pointed us to a new report from password recovery company PassWare, who claimed it can decrypt Apple’s FileVault 2 in under 40 minutes. Obviously, this is a big concern because FileVault contains so much of users’ information.

PassWare decrypts FileVault by going in through the system’s firewire connection and using live-memory analysis to extract the encryption key from the FileVault partition (so the machine must assumedly be running?). From there, a user can uncover keychain files and login passwords that can be used to unlock the whole HDD/SSD.

PassWare conveniently makes PassWare 11.3 available to do this, but you will have to throw down a lofty $995 to get the software. PassWare makes this software primarily available for law enforcement.


Expand
Expanding
Close

Gamers beware: Steam’s database hacked, including encrypted credit card information and passwords

Site default logo image

Popular game platform Steam, owned by Valve, has been hacked (via PC Gamer). Hackers were able to get into a Steam database, which included encrypted credit card information and passwords of many of its users. Steam isn’t sure at this point if the encryption of the credit card numbers or passwords have been obtained, but warns users to be on the look out for malicious activity. Steam’s Gabe Newell said in a statement to users:

Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums.

We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked.”

Steam is currently keeping their forums closed down while they investigate the situation. The Steam platform hasn’t been knocked down, however. Gabe’s full statement after the break:


Expand
Expanding
Close

Has Apple turned off MobileMe users with short passwords?

Word is coming in from Europe that Apple is forcing users with under eight characters and without both a number and a letter to reset their passwords today.  The mandate is an invisible one and some users who don’t meet the criteria are just getting empty login failures.  The fix is easy.  Just head over to the MobileMe and reset your password to one with the appropriate strength.

IMAP Mail and other native applications will not have been affected.

In a possibly related note (and/or some unfortunate timing), Apple Discussion Forums are down for some. If you look at the iPhone forums for example, you’ll see no posts after about 1 AM this morning. (image below)
Expand
Expanding
Close