Tag Archives: passwords

Twitch hacked, resets all passwords

On March 23rd, online video-game streaming service Twitch issued a notice that users accounts may have been hacked.

As a result of the hack, Twitch reset of all account passwords and stream keys.

In an email to users, Twitch explained what has happened and what information was potentially accessed by attackers. This included:

  • Usernames
  • Email addresses
  • Passwords
  • First and last name
  • Phone number
  • Address
  • Date of birth
Twitch

 

This isn’t the first time that hackers have targeted Twitch and its users. Some of the most well-known streamers were attacked as far back as 2013.

Choosing a new strong password

For the millions of Twitch users, the challenge remains to pick a secure and strong new password for their Twitch account. It’s important to create a new password for any account that shares the same username/password combination as their Twitch account.

Making a Strong Password

Storing passwords

Storing passwords

a key and a door, with a lock

Passwords may look to you like doors and keys:
they just have to match…

a list of names

…but a system (website, network…) has to store the passwords of many users!

a closed treasure chest

If a system stores all the users passwords
in their original form, like a secret in a chest,

a password list in front of an opened chest

…then once the chest is opened,
all passwords are instantly known!

The weakness:

a security risk warning

So you probably guess that there is a huge potential security risk,

an email showing an actual password

and when you receive an e-mail mentioning your actual password…
…then it means that the system actually knows your original password!

So, in a single attack, someone could just open the chest, and instantly get the password of every user.

This means only one thing for the security of such a system:

fatality

The solution:

So, you want to check if an entered password is correct, yet you need to store many passwords without leaking them.

There’s one answer:

Maths FTW!!

Instead of storing passwords, you store a key that is derived from the password: this makes it possible to authenticate the user without actually storing the password:

  1. take the entered password
  2. calculate the key
  3. compare with the key generated with the original password

For example, a bcrypt-derived key of “password” is “$2a$10$3BY0wQ3rgzBf6VlG0YFLoekcGrrHKYdSUdSSrN37TqClNg7Oouzey“.

It’s much longer, and in practice, it’s very difficult to determine the original password that it was derived from.

Why not using just any complex hash function to derive the keys?

Because such key derivation functions are specifically designed to prevent an attacker to generate in advance a list of keys from all standard passwords, or better, a well-organised table.

Conclusion

not passwords, but keys

To prevent the risk of an instant and complete leak, one should never store passwords, but only derived keys, generated via dedicated algorithms.

key = math(password)

These keys are mathematically derived from the entered passwords.

no password list

That way, you have a real strong authentication system without a vulnerable list of passwords.

For a multi-user system, storing passwords is a big risk !

In a next blog post, we can show how that influences Windows security…

The post Storing passwords appeared first on Avira Blog.

Researcher Tries to Get Ahead of CFAA Changes, Dumps 10M Sanitized Passwords

A dump of 10 million sanitized usernames and passwords was released online, sparking debate over its legality in light of proposed changes to the Computer Fraud and Abuse Act.

This is how a browser saves your password (and it is not secure)

navegadores

It is much more convenient, of course. You are at work, in front of your computer, and the browser offers to memorize the passwords for the services that you use. Out of laziness, you give it the OK. Now you will not have to enter the passwords for your email, social network or favourite online store every day.

It is not only convenient for you, but in principle it is much more secure. If malware capable of capturing keystrokes (a keylogger) ever lands in your computer, it will not be able to disclose your passwords.

However, asking the browser you use at work to save your passwords could be a disastrous idea.

chrome

One of the weak points of storing passwords in your browser is that, obviously, it saves them somewhere. In addition, remember that you are at work and surrounded by colleagues. One of them could be waiting for you to get up from your workstation without locking your computer in order to carry out the famous David Hasselhoff attack on you (taking advantage that you are not there, someone changes your desktop wallpaper to the ‘Knight Rider’ star with very little on). If they can do this, bear in mind that they could do worse things.

Without going any further, anyone could take advantage of your computer being unlocked to access the password file saved by your browser. It is not difficult, in Chrome you just need to go to chrome://settings/passwords to see the passwords that the browser has saved. A couple of clicks and anyone can find out how to access your mail, social networks, and every site for which you have decided to save the password through the browser.

chrome

However, leaving your computer locked does not guarantee that your passwords cannot be stolen. There are other methods.

There is probably a computer engineer working at your company. Do you get on well with him? If you had to think about the answer and you usually save your passwords in the browser, think twice about it. It is not that he is going to search you, but if he wants to give you a fright, he can.

Passwords stored by browsers are, in one way or another, on your computer. Even though they are encrypted and in a hidden place, with enough knowledge it is not so difficult to access them. The right malware could bring them to the surface.

password

Of course, remember too that not just any password will do. Worrying about where your passwords are stored is not worth much if you use the same one for everything and it is ‘12345’. In this case, there is no need for a cybercriminal to attack your computer or a lapse of yours to allow a colleague to use your computer.

The post This is how a browser saves your password (and it is not secure) appeared first on MediaCenter Panda Security.

25 Passwords You Should Avoid

As we approach February, and look forward to a year of stronger cybersecurity, there is still time to give your passwords a refresh and resolve to do so regularly.

Password protection is more important than ever, especially with so many devices, which provide ready access to so much of our personal information.

AVG’s own Tony Anscombe noted in his Safer Internet Day 2015 post recently, “Protecting your online world starts with devices and setting a passcode…”

It was interesting to find that in the annual list of Top 25 most common passwords on the Internet, as researched by the password management provider SplashData, the easy targets like “123456″ and “password” continue to hold the top two spots!

 

Other favorites in the research conducted by analyzing passwords that had been leaked in 2014: QWERTY and football.  Their popularity makes them notoriously some of the “worst” passwords to use and the “easiest” for hackers to figure out.

 

Creating a strong password

Picking a strong password doesn’t need to be difficult. We recently published an infographic on how to create a strong password that is also easy to remember.

 

Lizard Squad hackers use unsecured home routers in DDoS attacks

This Lizard is out to get your home router.

This Lizard is out to get your home router.

Your home router could be part of a network used to knock sites like Sony PlayStation network offline.

During Christmas we reported that a hacker group calling themselves the Lizard Squad, took responsibility for ruining the day for Sony PlayStation and Microsoft Xbox users by taking the gaming networks offline. This and previous attacks, which included a bomb threat directed at an American Airlines flight with Sony Entertainment president John Smedley on board, have been revealed to be a marketing campaign to advertise a new product available for rent to anyone who wants to cause a Denial-of-Service (DDoS) attack to the target of their choice.

I’m not a hacker. Why should I care?

You may not be a hacker, but the power for this service could be coming from your home office! Security blogger, Brian Krebs, whose own site was attacked, found out that the network of infected devices that powers the Product-That-Must-Not-Be-Named (that’s because Lizard Squad gleefully thanked Brian for the publicity on their Twitter account) is made up mostly of compromised home routers. On that same Twitter account, Lizard Squad said that they are using 250-500k infected routers.

These are the devices in everyone’s home that we warned you about in our blog, Your home network is at risk of cybersecurity attacks. Most people neglect the security of these devices by using the default user name and password that comes from the manufacturer out-of-the-box.

Our research determined that nearly 80% of all home routers in use today are thinly protected by common, easily hacked passwords, making routers an easy entry point to the home network for hackers,” said Avast Software’s CEO, Vincent Steckler.

Lizard Squad has just proven that point.

Today’s router security situation is very reminiscent of PCs in the 1990s, with lax attitudes towards security combined with new vulnerabilities being discovered every day creating an easily exploitable environment, “ Steckler said. “The main difference is people have much more personal information stored on their devices today than they did back then. Consumers need strong yet simple-to-use tools that can prevent attacks before they happen.”

How to protect your home router

Start by scanning you home network with Avast’s Home Network Security Solution.

Open the Avast user interface, click Scan from the menu on the left, then choose Scan for network threats. Avast will take a look at your router and report back any issues. In most cases, if there is an issue to be addressed, then it will direct you to your router manufacturer’s website.

The Home Network Security Solution is available in free and paid versions of Avast 2015. Get it at www.avast.com.

For more steps you can take to protect your home router, please see our blog post, 12 ways to boost your router’s security.

Tools to change and remember your passwords, this will help you!

Every time you sign up to a Web service, social networking site or online platform you face the same problem: What password should I use? Your passwords should be easy to remember but strong at the same time. And not only that, sometimes you are even requested to mix upper and lower case letters, numbers, or even non-alphanumeric characters (punctuation) to make your password harder to guess by an attacker.

In fact, all these requests aim at forcing users to use a character combination strong enough to prevent it from being cracked by a hacker. However, users frequently prefer the convenience of using the same password for everything (with some variations depending on whether they need numbers or letters), which poses an important security risk.

password tools

First, avoid using passwords that are easy to figure out. It is true that memorizing more complex passwords can be more difficult, but it obviously can be done.

Better still, you don’t even need to do that! There are many applications out there that can give you a hand with managing your passwords.

That’s the case of Dashlane, a free app available for PC, Android and iOS that allows users to check the security of their passwords and store them in one place.

keyboard password

This way it is the app that remembers all passwords for you, while you only have to remember the master password that enables you to use Dashlane and its password repository.

Another excellent option, apart from memorizing all of your passwords or managing them through apps such as Dashlane, is to opt for the greater security level provided by suites such as Panda Global Protection 2015 or Panda Gold Protection 2015, which include a password manager that enables you to access all the Web services that you use by just remembering one master password. Additionally, both security suites increase computer protection with features such as file encryption and PC tuneup.

password

In any event, there are other aspects that must be taken into consideration when creating a password. Most of them are just common sense. Never write down passwords on a piece of paper; don’t use the same password over and over again; and don’t use passwords that are easy to guess, like your date of birth or your kid’s or pet’s names. Also, it is essential that you change your passwords regularly.

Why so much fuss about passwords? Well, it wouldn’t be the first time that the leak of data belonging to millions of user accounts compromises the security of popular services such as Gmail or Dropbox, for example. So, if you don’t want to be the victim of identity and data theft, we strongly recommend that you take the appropriate security measures and manage all your passwords as effectively as possible. As the saying goes, better safe than sorry!

The post Tools to change and remember your passwords, this will help you! appeared first on MediaCenter Panda Security.

The number of leaked email addresses and passwords has exploded in 2014

The number of leaked email addresses and passwords has exploded in 2014

The statistics speak for themselves: The emails you send and receive every day at work are a time-bomb.

This is not just because they can be an entry point for cyber-crime, such as extortion or malware that can infect your computer, but also because through email, cyber-criminals can steal your account.

In fact, the email account you use in your company is now in more danger than ever before, simply because the number of compromised email accounts has reached astronomical figures.

Just a few months ago, five million Gmail account details were leaked on a Russian cyber-security forum, raising doubts about the security of the Google service, and creating jitters among the service’s millions of users.

However, the scandal of leaked Gmail accounts was barely the tip of the iceberg. Shortly after, Home Depot, the home improvements retails chain, announced a security breach in its payment platform that had compromised the details of no less than 53 million email addresses.  It’s clear then that our details of email addresses can be obtained from anywhere.

As if this weren’t enough, a group of cyber-security experts recently published a study confirming the trend (as if it were really in any doubt): In just three months the details of more than six million accounts have been leaked, along with the corresponding passwords.

 five million Gmail account details leaked

It’s a frightening figure, and more so considering that these are just the confirmed cases.

According to the study, most cases are due to people using company email addresses in private environments and the low levels of security associated with such email accounts.

Trojans infecting poorly protected computers or the use of email accounts with inadequate security are the most probable causes of this increase in the leaking of email addresses and their passwords.

The result of all this is seriously concerning: the use of these passwords by cyber-criminals against the users themselves. Moreover, if millions of account details have been leaked in just the last three months, the amount for the whole of 2014 could be twenty times greater.

Given how this trend underlines that corporate email accounts are not as secure as they should be, it is advisable to implement security measures such as two-step verification or at least frequent changes to email passwords.

The post The number of leaked email addresses and passwords has exploded in 2014 appeared first on MediaCenter Panda Security.