Tag Archive | Password

Saved passwords vulnerability still exists in some web browsers

 

Say you are on the Gmail login page and the web browser, as always, has auto-filled the username and passwords fields for you.

This is convenient because you can sign-in to your account with a click but because you have not been typing these saved passwords for a while now, you don’t even remember the Gmail password anymore.

All web browsers, for security reasons, mask the password fields in login forms behind asterisk characters thus making it impossible for passersby to see your secret string.

There’s however an easy workaround that will let you convert those asterisks into the actual password and you don’t need any external utilities or bookmarklets for this. Here’s how:

Full Story at Labnol

The Advantages and Disadvantages of Single-Sign-On (SSO) Technology (mini-whitepaper)

Overview

Single-Sign-On (SSO) is a user-authentication process, in which the user signs in to one screen name, and it makes multiple applications or websites unlocked or logged-in. Usually, the system will have conditional measures that will know what a certain user has access to, permissions, etc., and be able to provide the services. Now, the question brought to attention is, what are the advantages and disadvantages of single-sign-on?

Advantages

  • In the healthcare industry, it could be booming with single-sign-on. If a doctor were to need to sign-on to a database to access a patient’s files, he/she would also have to access x-rays, and other data that would be on a different application. Having a single-sign-on for all that would be life-saving and totally worth it. Not only that, but hours of saved time.
  • Apps such as OneLogin provide easy-access to tons of accounts across the board, particularly social media. It says on their site that they are supporting “identity & access management for the cloud”.
  • Could work wonders for those with disabilities. Having a disability may limit you from typing a lot of words at one time, or typing fast enough. If a single-sign-on system were in place, one login means much saved time.
  • Reduces the chance of forgetting your password. By having your one-set master password, it will be a lifesaver to not have to remember a ton of passwords.
  • Reduces IT help desk costs, by reducing the number of calls to the help desk about lost password.
  • Newer technologies are being implemented to help detect the attempt to hack a certain system, in which it would lock out the hacker from the remaining systems. But, this has more studying to prove how good it works.

Disadvantages

  • Vulnerability problems, such as with authentication, privacy keys, etc.
  • The lacking of a backup stronger authentication, such as smart cards or one-time password tokens.
  • The SSO is a highly-critical tool to keep up always. If the SSO goes out, the user would lose access to all sites.
  • It would be critical to have a good password, one that is very hard to crack. With the reduction of accounts, particularly the fact that SSO is in play, it’ll be easier to find and hack accounts. Once the SSO account is hacked, all others under that authentication are hacked as well.
  • SSO is bad news for a multi-user computer, especially if the user stays logged in all the time. This is more prevalent of an issue in plant operations, business floors, etc. where multiple users can access the computer (if the original user left their desk).

Examples of current implementations

  • Log-in with Facebook
  • Log-in with Twitter
  • Log-in with Linked-In or Apply with Linked-In
  • OneLogin
  • ANGEL Learning Systems

And many more.

Worth reading: Building and implementing a SSO solution

Conclusion

Overall, the usage of SSO systems are good and bad. Based on your organization or personal life, it is your choice on whether to use it or not. Based on how potentially problematic it may be, you will have to be on your toes about a lot of it. But, I guess the time you save trying to figure out or remember your passwords, you can spend on staying guard for SSO systems.

 


Get the review of Malwarebytes’ Anti-Malware

 

If this has saved you money or your organization money, or potentially provides savings, please donate to further our cause.

r00tbeersec Returns with Philips Hack

 

Today, it has been discovered r00tbeersec making its return with the hack on Philips. As we reported yesterday, r00tbeersec is a new hacking group apparently wanting to make a grand entrance in to the hacking world. Plaintext passwords were revealed in the hack against Philips. First AMD…now Philips. For those who don’t know, Philips is a Dutch-based technology extraordinaire.

Anyway, Philips is the victim of a few small SQL database leaks. Maybe a few skiddie SQL hacks. In the databases that were leaked, phone numbers, passwords and hashes, and even addresses were leaked. These databases were storing plaintext passwords, which is known to be quite a vulnerability. Those passwords should be in encrypted databases, not in plaintext.

Of course, poorly chosen passwords were found, just like a poor database (unencrypted). All in all, their company was just waiting/asking to be attacked, per speculation. And of course, r00tbeersec wanted to show off their 200,000 spilled email addresses.

In case you’re wondering, password security is still a problem. Read more here.

Need more Speed? Check for PC issues causing slowdown and try out Speed Tools to improve PC Speed.

Passwords are Dead? Read on…

Passwords as a defensive measure are complete rubbish. There’s no two ways about that. The fact that high-value services such as online banking, corporate email and data storage use simple passwords as the only real security mechanism is a sad commentary on the state of defensive technologies. But, as the continued parade of password leaks of late proves on a daily basis, users who believe these companies are protecting their passwords are sadly mistaken.

The companies that provide these online services, such as email, cloud storage, online banking and others, would really rather not store your passwords, truth be told. As we’ve seen, it’s just one more piece of data that they need to protect and can potentially lose. The business models at banks, retailers and social networks do not include acting as secure storage facilities user passwords. If there was some way for these services to exist without having to deal with user passwords, they would have found it.

But no one has yet, and there doesn’t seem to be a good solution to the problem on the horizon. Passwords were a terrible idea at the beginning, they’re still terrible now and they’ll continue to be terrible in the future.

Read more on ThreatPost

 

Change your Password on All Social Networks!

From the LinkedIn breach to eHarmony to Last.FM breaches – other social networks may be targeted. Sadly, users fall in to this trap everyday of having their password stolen. And believe me, security experts push password security tips…but users ignore them ALL the time!

Facebook has published a banner on the top of the news feed telling users to check out security tips on the following page:facebook.com/about/security

This is also just days after many companies, including Facebook, Twitter, and Google plus others joined in The Ads Integrity Alliance. This was launched last Thursday and has Interactive Advertising Bureau (IAB) in New York also as a charter member.

OnGuardOnline.gov provides awesome tips. Included is one just like this, which helps understand social networking safety for children: onguardonline.gov/articles/0012-kids-and-socializing-online

 

%d bloggers like this: