User Authentication in 2024: Multi-Factor Authentication and Beyond
User authentication has evolved significantly, with multi-factor authentication (MFA) becoming a standard security practice in 2024. Beyond traditional MFA, advancements in technology have introduced more sophisticated and user-friendly methods. These include biometric verification, behavioral analytics, and AI-driven authentication processes, offering enhanced security while improving user experience. This new era of authentication...
The Mother of All Breaches: Exposed Database Contains 26 Billion Records
Cybersecurity researcher Bob Diachenko of Security Discovery and the team at CyberNews have uncovered what is thought to be the largest-ever collection of stolen data, consisting of more than 26 billion records. The database they identified on an open storage instance contains an astonishing 12 TB of data, and while there are likely to be duplicates in the database it is still thought to be the biggest collection of stolen data ever...
Popular Password Manager Starts Enforcing 12-Character Master Passwords
While there are different schools of thought on password complexity, security experts agree that when it comes to making passwords difficult to guess, the longer the password is the better. Regardless of what the password consists of, the longer the password is, the longer it will take a hacker to crack it. LastPass, one of the most popular password manager providers, has long recommended that users set long and complex passwords for...
25 LastPass Users Had $4.4 in Million in Crypto Stolen on October 25
Cryptocurrency totaling $4.4 million was stolen from 25 individuals on October 25, 2023, who all had one thing in common – They were users of the LastPass password manager. LastPass suffered two data breaches in 2022, in which the hackers obtained source code and customer data. Password vaults were stolen that contained encrypted and plaintext information of more than 25 million users. At the time, LastPass CEO, Karim Toubba,...
1Password Says Okta Environment Compromised Using Stolen Session Cookie
The password manager provider 1Password has announced it has been affected by the recent data breach at the San Francisco-based identity and access management company Okta. Okta was contacted by its client, BeyondTrust, on October 2, 2023, after its security team identified suspicious activity that it believed may have stemmed from a data breach at Okta. On October 11, 2023, Okta confirmed that an unauthorized individual had gained...
LastPass Employees and Customers Targeted in Phishing Campaign
A widespread phishing campaign has been detected that is targeting LastPass employees and customers. The campaign was first detected in mid-September, and a second wave of phishing emails was sent at the end of the month. The aim of the campaign is to obtain LastPass credentials. If the credentials are obtained, the attackers will have access to users’ password vaults. LastPass offers users multifactor authentication; however, this...
ZenRAT Password Stealer Masquerades as Bitwarden Password Manager Installer
Password managers can greatly improve security and are one of the measures currently being promoted during Cybersecurity Awareness Month; however, care must be taken when installing password managers. Just like any software solution downloaded from the Internet, it is important to verify the authenticity of the website and installer. Cybercriminals may impersonate password manager providers to deliver malware. Password managers are...
Four Behaviors to Focus on During Cybersecurity Awareness Month
October is Cybersecurity Awareness Month – A month dedicated to raising awareness of the importance of cybersecurity and sharing some of the easy steps that everyone can take to improve privacy and security. Jen Easterly, Director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), is encouraging all Americans to stop and think before taking any action, whether online or in response to unsolicited text messages,...
One in Three Americans Now Use a Password Manager
Password manager usage has grown by 60% in the past year as Americans are now starting to appreciate the benefits that these tools provide. According to security.org survey data, in 2021, 22% of Americans said they used a password manager, but in 2023, the percentage increased to 34% with a further 10% of users saying they use a security passkey or other physical password device. While usage of password managers is growing, 56% of...
KeePass Vulnerability Allows Master Passwords to be Obtained from the Memory
A vulnerability has been identified in KeePass password management solution that allows an attacker to recover the cleartext master password from the memory if the password is typed in using the keyboard. The password cannot be obtained if it is copied from the clipboard. The vulnerability has been assigned the Common Vulnerability and Exposure code, CVE-2023-32784. KeePass has yet to issue a patch to address the flaw but is expected...
World Password Day – A Reminder to Improve Password Hygiene
The first Thursday of May is World Password Day, a day dedicated to raising awareness of the importance of password security and the promotion of password best practices. The idea of a Password Day came from the security researcher Mark Burnett, who suggested in 2005 in his Perfect Passwords book that everyone should have a password day where they took the time to update their passwords. In 2013, World Password Day became official and...
How Long Does It Take a Hacker to Brute Force a Password in 2023
Organizations are increasingly adopting passwordless authentication; however, passwords are still the most common method of securing accounts. The problem with passwords is they can be guessed, and with modern GPUs, brute-force attempts to guess passwords can crack weak passwords incredibly quickly. Passwords of 6 characters, for instance, can be guessed instantly, regardless of the letters, numbers, and special characters used. Each...
LastPass Says DevOps Engineer’s Home Computer was Hacked
LastPass has provided another update on the second data breach it experienced last year and has confirmed that the second attack – which was linked to the summer hacking incident – involved the hacking of the home computer of a DevOps engineer. In August 2022, hackers gained access to the LastPass developer environment and stole some proprietary source code and internal documents, but said the breach was limited to its development...
Dashlane Publishes Password Manager Source Code
The password manager provider Dashlane has made the surprising announcement that the source code for its mobile app has been released on GitHub, in what the company claims is the first step in a push to make its platform more transparent. The source code for both its Android and iOS apps has now been published on GitHub, along with the code for its Mac and Apple Watch apps, with the code for the web extension due to similarly be...
Some Popular Password Managers Found to Auto-Fill Passwords on Untrusted Websites
Last week, Google announced that it had discovered a security issue with certain password managers, which could be tricked into autosuggesting passwords on untrusted pages. One of the benefits of a password manager is when a password is set for an account, it is tied to a specific URL or domain. When the user lands on that domain or URL, the password for that resource will be auto-filled for convenience. This feature helps to protect...
Norton LifeLock Customers Warned that Password Vaults May be At Risk
The antivirus software and cybersecurity firm Norton has recently started notifying certain Norton LifeLock customers that a malicious actor has gained access to their Norton accounts and potentially also accessed their password vaults. Users have been advised to change the password for their Norton account and Password Manager immediately. The news comes shortly after one of the world’s most popular password managers – LastPass...
One-fifth of the U.S. Department of the Interior Passwords Successfully Cracked in Password Test
A recent investigation of the password management practices of the U.S. Department of the Interior has identified multiple password failures which are putting its internal network and applications at risk of compromise. The investigation was conducted by the Department of the Interior Office of Inspector General (DOI OIG) to determine how well the Department’s password management and enforcement controls were working. The...
LastPass Sued for Data Breach to Recover $53,000 in Lost Cryptocurrency
The recent data breach at LastPass, which saw customers’ encrypted password vaults stolen, has sparked its first lawsuit from a customer who claims to have lost $53,000 in cryptocurrency due to the data breach. The breach in question was detected by LastPass in August 2022, when the company confirmed that unauthorized individuals gained access to its developer environment and stole proprietary source code and technical documentation,...
Zoho: Patch This Critical ManageEngine Vulnerability Now!
A critical SQL injection vulnerability has been identified in multiple Zoho ManageEngine products. Zoho is urging all business users of the affected software solutions to patch the vulnerability immediately to prevent exploitation. The patch adds proper validation and escaping special characters to prevent the vulnerability from being exploited. The vulnerability is tracked as CVE-2022-47523 and affects its Password Manager Pro,...
What´s Stopping the Passwordless Revolution?
A couple of years ago, security industry professionals claimed businesses were experiencing a passwordless revolution and some forecast adoption rates in excess of 90% by the end of 2022. However, according to the latest Bitwarden 2023 Password Decisions Survey, fewer than half of respondents have deployed – or now plan to deploy – passwordless technologies. Back in 2020, Microsoft claimed that passwordless adoption would increase...
LastPass Data Breach: From Bad to Worse, and Worse Still
It started with a breach of the LastPass developer environment. No customer data was involved in that breach, but then came the news that some customers were impacted, not in the first breach but a second, that was linked to the first. The data stolen in the first breach allowed a second hack. But no fear, customer password vaults were not affected. Now, LastPass has issued another update and said some customer password vaults are at...
Security Agency Recommends Businesses Change their Approach to Combat Phishing
The UK National Cyber Security Centre (NCSC) has issued advice to businesses to help them improve their defenses against phishing, one of the most common ways that malicious actors gain initial access to business networks. Phishing targets employees, who are weak links in the security chain. Employees are prone to make mistakes, and all it takes is for one employee to fail to recognize a phishing threat for a threat actor to gain...
Bitwarden Announces New Self-Hosting Deployment Option
Bitwarden is one of just a handful of vault-based password managers that offers the option of self-hosting its software on a local device or network server. Earlier this month, the company announced a new “lightweight” deployment option that is less resource intensive and that will ultimately work across multiple databases and architectures. Self-hosting can sometimes be considered more trouble than it is worth. You need to have the...
What are the HIPAA Password Requirements?
Before answering the question what are the HIPAA password requirements, it is important to note that passwords are not a requirement of HIPAA if Covered Entities use an alternative authentication method to “verify that a person or entity seeking access to ePHI is the one claimed” (Security Rule Standard §164.312(d)). According to the Department of Human Services´ Guide to the Technical Security Standards there are three ways in which...
Survey Reveals Serious Password Manager Mistake That Puts Millions at Risk of Identity Theft
Passwords are often a security weak point, but not because of the level of security they provide. If a sufficiently long password is set following password best practices, the account would be well secured. A password of 15 characters containing upper- and lower-case characters, numbers, and symbols would take about a billion years to crack using the GPUs currently available, according to a study by Hive Systems. Increase it to 18...
Bitwarden Adds Passwordless Authentication to its Password Manager
Password managers improve security by making it easy for users to set strong and unique passwords for their accounts. They also make logging in convenient, as users never need to remember their passwords or type them in. They will be autofilled when the user lands on a site that requires a login. However, users still need to enter the master password for their password vault. While this is a minor inconvenience, Bitwarden has...
LastPass Suffers Second Hacking Incident – Some Customer Data Compromised
In August 2022, hackers gained access to the development environment of LastPass and stole some of its source code and proprietary technical information only. LastPass investigated the breach and confirmed that no customer information was accessed or stolen in the attack, but determined they had access to the development environment for 4 days. Now the world’s most popular password manager has now announced that customer data has been...
The Worst Passwords of 2022 Revealed
The List of the worst passwords of 2022 has been published, pointing the spotlight on poor password practices. Despite the risks, these terrible passwords are still used by many people to “secure” their accounts. The worst passwords of 2022 do nothing of the sort. These passwords are top of the list in brute force attempts to access accounts and will provide almost instant access to any account that they have been used to secure. The...
Password Attacks Have Increased by 74% in the Past Year
The 2022 Microsoft Digital Defense Report has highlighted a worrying cybercrime trend – A massive increase in password attacks. In the past year there has been a 74% increase in password attacks, which are now occurring at a rate of 921 attacks per second. Password spraying and credential stuffing attacks are increasing despite improving cybersecurity awareness. Password spraying is a brute force attack that involves the use of a list...
Cybersecurity Education Failing to Improve Password Hygiene
Businesses are realizing the importance of providing security awareness training for the workforce to teach cybersecurity best practices, how to recognize phishing emails, and to highlight the importance of practicing good cyber hygiene. Training the workforce is an essential element of any cybersecurity strategy, as employees are targeted by threat actors. If employees are not trained, human weaknesses are likely to be exploited by...
Summary of the NIST Password Recommendations
The National Institute of Standards and Technology (NIST) has created password guidance for federal agencies to ensure passwords achieve their intended purpose – preventing unauthorized account access. The NIST password recommendations were updated recently to include new password best practices and some of the long-standing best practices for password security have now been scrapped as, in practice, they were having a negative...
Survey Reveals Younger Generations More Likely to Take Cybersecurity Risks
Organizations can invest heavily in cybersecurity and implement multiple layers of defense to stop malicious actors from gaining access their networks, but those defenses can still be breached, and in the majority of cases those breaches are due to an error by a single employee. The risk of employees making mistakes cannot be eradicated, but it can be managed and reduced by providing training on cybersecurity and introducing...
Why You Stop Using Your Web Browser as a Password Manager
Passwords are often all that stands between a cybercriminal and your sensitive personal information. If the password for an online account is guessed, all information in that account can be obtained and misused. This is why it is important to add multifactor authentication to all online accounts to improve security. This Cybersecurity Awareness Month, the Director of the Cybersecurity and Infrastructure Security Agency (CISA) said...
Half of Businesses Have Adopted Passwordless Authentication to Some Degree
Bitwarden has published the findings of its 2023 Password Decisions Survey, which explores password practices and habits, strategies that have been adopted for managing passwords, how businesses are protecting against cyberattacks, and the methods adopted to reduce password risks. The survey was conducted on 800 IT decision-makers, 400 in the UK and 400 in the US. How Passwords are Being Managed A password manager is the most secure...
What are the Disadvantages of Password Managers?
You will no doubt have heard that one of the most important steps to take to improve security is to use a password manager. A password manager is a software solution to help people create and manage their passwords and follow password best practices. Why People Need to Use a Password Manager Passwords are a convenient way of preventing unauthorized account access, similar to a lock on a front door that requires a key to unlock. The...
Cybersecurity Awareness Month: Time to Improve Password Security
The theme of October 2022 Cybersecurity Awareness Month is “See Yourself in Cyber” which focuses on people. As the Cybersecurity and Infrastructure Security Agency (CISA) explained, cybersecurity may seem like a complex subject, but it is really all about people. Everyone has a role to play in cybersecurity and should take steps to stay safe online and protect their privacy, and every employee has a responsibility when it comes to the...
Safe and Secure Password Sharing for Businesses
In an ideal world, every employee would have their own password for the accounts and resources they need to access from the moment they started employment or commence a new project. In practice, that is often not the case. IT teams are busy and have to deal with many pressing issues, and setting up new accounts and permissions, can be a slow process. Sometimes, an employee or a group of employees will be required to collaborate on a...
Cybersecurity Awareness Month 2022 Focuses on People
Cybersecurity Awareness Month 2022 runs from October 1 to October 31, with the month of October having been dedicated to improving awareness about cybersecurity since 2004. Throughout October, the U.S. Cybersecurity and Infrastructure Security (CISA) and the National Cybersecurity Alliance (NCA) will lead a collaborative effort between government and industry to improve cybersecurity awareness in the United States and beyond. The...
Using a Business Password Manager to Share ePHI in Compliance with HIPAA
Using a business password manager to share ePHI in compliance with HIPAA is a viable alternative to other secure forms of communication if your organization implements a business password manager and the vendor is willing to sign a Business Associate Agreement. One of the most challenging requirements of HIPAA compliance is communicating ePHI in compliance with the Security Rule safeguards. Familiar channels of communication such as...
Why Changes May Soon be Required to ISO 27001 Password Management Policies
Most accredited organization´s ISO 27001 password management policies are based on the 2013 version of the standard for information security management systems. However, with new controls about to be announced in an updated version of ISO 27001, it may be necessary to amend existing policies to reflect the new controls. If your organization is ISO 27001 accredited, the accreditation is based on the 2013 version of the information...
LastPass Says Hackers Accessed Systems for 4 Days
The world’s most popular password manager, LastPass, has provided more information on its August 2022 cyberattack and data breach. The forensic investigation has confirmed that an unauthorized individual gained access to its internal systems for a period of four days; however, no evidence was found to indicate that an individual or individuals had access to any parts of its network before or after that timeline. LastPass CEO, Karim...
Almost 200,000 Accounts Compromised in The North Face Credential Stuffing Campaign
Customers of the outdoor clothing company, The North Face, said the online accounts of almost 200,000 customers have been compromised. Unusual activity was detected in certain customer accounts on August 11, 2022, with the investigation into a potential data breach confirming customer accounts had been compromised in a credential stuffing campaign between July 26, 2022, and August 19, 2022. If the threat actor was able to access a...
Bitwarden Set to Accelerate Product Expansion with $100 Million Investment
The open source password manager provider, Bitwarden, has secured a $100 million minority growth investment to support its user community, scale its password management solution, accelerate product expansion, and provide stronger online security for individuals and enterprise customers. The latest round of funding was led by the growth equity firm PSG, with existing investor Battery Ventures also participating. There was a major...
Luca Stealer Malware Targets Cryptocurrency Wallets and Password Managers
A new malware variant dubbed Luca Stealer is growing in popularity following the release of its source code for free in July. At present, it appears that attacks are at a relatively low level, but the number of variants detected has increased in recent weeks and there is concern that Luca Stealer could become a significant threat. Luca Stealer is suspected of being used in an attack on the Solana blockchain network (SOL) in early...
What Happens If My Password Manager is Hacked?
If you follow the news, or if you use the LastPass password manager, you will no doubt be aware that LastPass was hacked this month, and it is not the first time that has happened at LastPass, as it was also hacked back in 2015. If password managers can be hacked, you may be asking yourself questions such as what happens if my password manager is hacked? Should I be using a password manager? Do I need to change all my passwords? These...
LastPass Hacked: Source Code Stolen
LastPass, one of the world’s most popular password managers, has confirmed it has been hacked and portions of its source code have been stolen. Password managers are a must these days. The average person has around 100 passwords (NordPass), so remembering all of those passwords would be impossible without taking some shortcuts that compromise security. The easiest solution is to use a password manager. With a password manager,...
Residential Proxies Increasingly Used to Hide Credential Stuffing Attacks
Cyber threat actors are increasingly using hacked residential routers to hide their credential stuffing attacks, according to a recent alert from the Federal Bureau of Investigation (FBI). Credential stuffing is a type of brute force attack where a threat actor uses a large list of usernames and passwords that have been compromised in previous data breaches to access accounts on unrelated websites. The attack relies on the reuse of...
How Do You Resolve the Issue of Password Apathy?
Despite many advances in technology, one issue is undermining efforts to keep networks and accounts secure – password apathy. This is not a new issue, but one that has existed since the earliest shared computers in the 1960s. Yet, in more than sixty years, nobody has found a way to resolve the issue of password apathy. The earliest recorded example of password apathy appears in a UK TV program from the 1980s. In the program, a Prestel...
Is FIDO Authentication as Effective as It Claims to Be?
FIDO authentication protocols can be used as an alternative to passwords, and – in theory – they provide a fast and secure method for users to access online services requiring login credentials. However, FIDO authentication is not a magic bullet to defeat cybercrime and there are many considerations to take into account before paying over the top for FIDO-compatible solutions. The Fast Identity Online (FIDO) Alliance was established...
Why More Companies are Enforcing Mandatory 2FA
Although the option to better protect accounts with Two-Factor Authentication (2FA) has been widely available for more than a decade, the low uptake on this security measure has prompted a growing number of companies to enforce mandatory 2FA. Two-Factor Authentication (also known as Two-Step Login and Two-Step Verification) is a method used by online services to verify a user´s identity. In most circumstances, the first authentication...
Password Management Best Practices
Passwordless authentication is growing in popularity and is considered the future of authentication, but for the time being, passwords are here to stay. While passwords can provide a high degree of protection, passwords can be guessed given sufficient time and computing power. The latest GPUs make short work of guessing even complex passwords, with one study by Hive Systems determining that even an 8-character password that contains a...
NIST Releases Updated HIPAA Security Rule Guidance
The National Institute of Standards and Technology (NIST) has refreshed its HIPAA Security Rule compliance guidance. The guidance was last updated in 2008 and a lot has changed in the past 14 years ago, including the release of the NIST Cybersecurity Framework. The new guidance serves as a practical guide for the healthcare industry to help with the implementation of the HIPAA Security Rule, to better protect healthcare data from...
42% Of Americans Use the Same Password for Multiple Accounts
A recent survey conducted on 2,000 Americans by OnePoll on behalf of AT&T has provided insights into the level of cybersecurity knowledge of Americans and the cybersecurity risks many people take when using the Internet. According to the survey, 70% of respondents said they felt they were knowledgeable about cybersecurity and understand how hackers gain access to sensitive information on devices, but in many cases that knowledge...
ICS Systems Infected with Sality Malware via Password Recovery Tool
A threat actor is gaining access to industrial control systems (ICS) using a Trojan horse password recovery tool that claims to recover passwords for programmable logic controllers (PLC) and Human-Machine Interfaces (HMIs). The malware distribution campaign was identified by security researchers at Dragos, who identified infected Automation Direct DirectLogic PLCs. PLC password cracking tools are being advertised on social media...
Study Highlights the Importance of Password Complexity
Poor security practices are commonly exploited by threat actors, and one of those practices that stands out is the exploitation of weak credentials. A password is often all that stands between a cyber threat actor and sensitive business data. If that password is chosen poorly, or heaven forbid is a default password that has not been changed, a hacker’s life is made so much easier. With the processing power of modern GPUs, weak...
Three Quarters of the Most Popular Websites Allow Bad Passwords to be Set
If you ever need to create an account online you will need to set a password to prevent unauthorized access. While passwords can prevent the account from being accessed by unauthorized individuals if weak passwords are set they would not provide much protection. In some cases, a weak password could be guessed by a human in a few seconds. The tools used by hackers to brute force passwords could guess passwords in a fraction of a...
How to Reduce Password Security Risks
Passwords are used to prevent unauthorized access to accounts and data. While passwords can be effective, there are password security risks that need to be reduced to a low and acceptable level, otherwise, accounts and sensitive data could be extremely vulnerable to cyberattacks. Password Security Risks If everyone set a strong, unique, and suitably long password for every account, passwords would provide a good level of protection;...
Why Don’t People Use Password Managers?
With so many passwords to create and remember, keeping track of those passwords can become a problem. Best practices for creating passwords include setting a unique password for every account and ensuring the password is strong and difficult to guess. Complex passwords are difficult to remember so users often reuse the same password for multiple accounts, change each password only slightly, or write them down on a Post-It note, in a...
Following Regulatory Recommendations for Passwords Does Not Necessarily Improve Password Security
If you religiously follow regulatory standards for passwords you may think you have a good password policy, but it doesn’t mean that weak passwords are not being set by your employees. A recent study by Specops confirmed that simply following regulatory recommendations for setting passwords is not, by itself, enough. For the study, the researchers conducted an analysis of more than 800 million passwords that are known to have been...
Feds Announce Seizure of Domains Used for Selling Stolen Credentials and Conducting DDoS Attacks
The Department of Justice (DOJ) and the Federal Bureau of Investigation (FBI) have announced they have seized the domain weleakinfo.to, along with two related domains – ipstress.in and ovh-booter.com – that were being used to sell access to stolen personal information and for conducting distributed denial of service (DDoS) attacks on victim networks. The domain seizures came following an international law enforcement...
Dashlane versus Zoho Vault
Our Dashlane versus Zoho Vault comparison demonstrates that you don´t have to pay vast sums of money to be secure online. Indeed, as Dashlane customers have recently found out, you can pay vast sums of money and still be vulnerable to online threats. In November 2020, Dashlane announced a “web-first” strategy that would provide customers with a “streamlined and more secure experience”. As part of the strategy, the desktop apps for...
General Motors Customers Targeted in Credential Stuffing Attack
General Motors has announced that certain customer accounts have been accessed by unauthorized individuals. Between April 11 and April 29, 2022, suspicious logins were detected in customer accounts. The investigation revealed unauthorized individuals accessed certain customer accounts and redeemed their reward points for gift vouchers. The compromised accounts contained information such as names, addresses, dates of birth, personal...
Dashlane versus LogMeOnce
Our Dashlane versus LogMeOnce comparison demonstrates why ease of use is an important consideration when evaluating password managers; for although LogMeOnce represents excellent value when compared to Dashlane, it has a steep learning curve which you need to navigate fully to ensure there are no gaps in password security. When you evaluate a technology solution, it is most often the case you balance the capabilities of the solution...
Dashlane versus Password Boss
Our Dashlane versus Password Boss comparison comes with the caveat that Password Boss may soon be leaving the individual and business market to focus solely on Managed Service Providers. Furthermore, since Password Boss relaunched its website earlier this month, the pricing page has disappeared, and it is no longer possible to see what features are included with each plan. Due to the frequency with which vendors update products, add...
What is Password Spraying?
What is password spraying? Password spraying is a commonly used brute force method for gaining access to accounts. Here we explain what it is and how to thwart it. What is a Brute Force Attack? A brute force attack is a trial-and-error method of gaining access to an account when the password for the account is not known. In an attack, many different passwords are tried for a specific account in the hope of guessing the correct...
Dashlane versus RoboForm
Our comparison of Dashlane versus RoboForm looks at why this once-popular password manager is falling out of favor, and whether Dashlane customers should consider RoboForm a suitable alternative. To say the Dashlane password manager is falling out of favor is probably an understatement. In the last couple of years, concerns have been raised about the security of Dashlane apps, plans have been discontinued at short notice, and the...
Dashlane versus NordPass
Our Dashlane versus NordPass comparison explains why Dashlane customers may be looking to switch password manager providers, but also raises questions about whether NordPass is a suitable alternative. Dashlane is having a bit of a rough time at the minute. Although retiring their Desktop apps in favor of a “web-first strategy” was meant to provide customers with a “streamlined and more secure experience”, the transition from Desktop...
Dashlane versus 1Password
Our comparison of Dashlane versus 1Password pits two of the most popular password managers against each other to establish whether either is the best option for individual users, family groups, and businesses when compared to other vault-based password managers. As individuals, families, and businesses become more aware of online threats, the market for online security products is growing rapidly. Password managers are among a number...
Dashlane versus Keeper
Our Dashlane versus Keeper comparison is aimed at customers of Dashlane who are dissatisfied with the recent “web-first” changes to the password manager and price increases. However, is Keeper the best alternative to Dashlane, or do other password managers offer a better experience and value for money? In November 2020, Dashlane announced it was discontinuing support for its Windows and Mac desktop apps to focus on a “web-first...
Common Password Attacks and How to Avoid Them
While passwordless authentication is becoming more popular, passwords remain the most common way of securing accounts and preventing unauthorized access. Passwords provide a degree of security, but there are several different password attacks that are effective at obtaining passwords to access the accounts they protect. In this post, we explain the most common password attacks, why they work, and how you can prevent them. Common...
46% of IT Leaders Store Passwords in Shared Documents and Spreadsheets
A recent survey of IT, security, and cybersecurity leaders found 46% store passwords in shared documents and spreadsheets, and 8% physically record passwords in notebooks or sticky notes, despite the security risks associated with doing so. The survey was conducted on 100 IT, security, and cybersecurity leaders by Pulse and Hitachi ID to explore their password management practices and the effect they have on security. According to...
Padloc versus LastPass
It is not common to find Padloc versus LastPass comparisons because, until the launch of V3 in 2019, Padlock had very few capabilities to compare against other password managers. However, since 2019 – when the password manager was also rebranded from Padlock to Padloc – it has attracted a significant amount of interest. Our Padloc versus LastPass comparison explains why. Prior to 2019, Padlock (as it was known at the time) was a...
RememBear versus LastPass
Our comparison of RememBear versus LastPass focuses on the options available to personal password manager users because a) there are a lot of dissatisfied personal LastPass users and b) RememBear lacks the capabilities to be used as a family or business password manager. Most of our password manager reviews and comparisons focus on password managers with similar capabilities so that visitors can make informed decisions about which...
NordPass versus LastPass
Our comparison of NordPass versus LastPass shows there is very little between these two password managers in terms of capabilities or price. However, customers looking for their first password manager – or considering a switch from their current password manager – may find better value elsewhere. Since LastPass announced it was restricting the capabilities of its free password manager plan and introducing additional...
RoboForm versus LastPass
If you are one of the thousands of people who have resisted the temptation to switch from the LastPass password manager to a securer alternative, our RoboForm versus LastPass comparison might convince to switch sooner rather than later. However, is RoboForm a suitable alternative for individuals, families, and businesses? According to a survey conducted by security.org in 2021, 21% of people who use password managers have a...
LastPass versus Keeper
Both LastPass and Keeper password managers are trusted by millions of individuals and thousands of businesses worldwide; but, as our LastPass versus Keeper comparison shows, it is possible for both individuals and businesses to find better value alternatives elsewhere. LastPass (21%) and Keeper (10%) are the two most commonly-used password managers in the U.S. according to a survey conducted by Security.org. Although their positions...
What is Credential Stuffing?
Credential stuffing attacks are common causes of data breaches. Here we explain what a credential stuffing attack is, why they are often successful, and steps that can be taken to stop these attacks from succeeding. What is a Credential Stuffing Attack? Credential stuffing is a type of brute force attack – an attack where multiple attempts are made to guess a correct password. In a traditional brute force attack, a threat actor tries...
Popular Password Manager Adds Unique Username Generator
Password managers are low-cost security solutions that can significantly improve security by helping people avoid bad password practices. Oftentimes, all that stands between a hacker and an account containing sensitive data is a password, and the passwords that protect those accounts are often not sufficiently complex. Passwords can be cracked in seconds using brute force tactics and a computer with a reasonably powerful GPU. It may...
Report Shows Slight Improvement in User Password Security
A report published by Bitwarden ahead of World Password Day shows a slight improvement in user password security compared to a similar report published last year. World Password Day was created by Intel in 2013 to raise awareness about the role of complex, unique passwords in securing online accounts. Subsequent World Password Days have been held each year on the first Thursday in May; and, to celebrate the event in 2021, Bitwarden...
How Password Managers Mitigate the Threat from Phishing
The best way to mitigate the threat from phishing is to train employees to be more resilient to phishing attacks, introduce processes to report suspicious communications, and take advantage of technology to fill gaps in employee awareness by preventing them from visiting phishing sites. Unfortunately, few businesses have the time or resources to increase employee awareness training or respond to every report of a suspicious...
What Are Zero Knowledge Password Managers?
Many password managers advertise themselves as zero knowledge password managers, claiming that end-to-end encryption prevents vendors and their employees from knowing what credentials are maintained in users’ password vaults. But what are zero knowledge password managers? And what are the advantages and disadvantages of zero knowledge? Possibly the primary benefit of using a password manager is that it can generate and store...
Why Leet Substitution has Little Impact on Password Strength
While some sources advocate substituting letters with symbols to make passwords harder to crack, evidence exists that leet substitution has little impact on password strength. Consequently, businesses are advised to utilize password generation tools to create genuinely random passwords for each account and take advantage of password managers to save them securely. For those unfamiliar with “leet substitution”, the term is derived from...
Credit Card Company Advice for Online Security
Most leading credit card companies offer similar advice for online security – that you should secure devices used for online transactions, use unique, complex passwords for each online account, reduce your susceptibility to phishing, and set up alerts for certain types of transactions. Credit card companies have a vested interest in providing advice for online security. Under the Fair Credit Billing Act and Electronic Fund...
How Accurate are Password Strength Testers?
Password strength testers are becoming more common in the account sign-up process. Their purpose is to indicate whether the passwords chosen by users are weak, good, strong, or very strong – the implication being that good, strong, and very strong passwords will help protect the account from brute force attacks. But how accurate are password strength testers? To find out, we ran a test pitching five variations of commonly-used...
What are Password Salting and Password Peppering?
Password salting and password peppering are two methods of preventing hashed passwords from being deciphered by hackers using brute force techniques or rainbow tables. Unfortunately, users rarely know whether online vendors are salting or peppering passwords, so businesses and individuals still need to take responsibility for protecting online accounts using other methods. In a previous article, we discussed password hashing and...
What is Password Hashing?
Password hashing is a security measure often used to convert a plain text password into a seemingly random string of letters and numbers. The theory behind this security measure is that, if a website’s database of hashed passwords is hacked, data stolen from the database cannot be used to access client accounts. Unfortunately, this is not always the case. When you create an online account, you are most often asked for a username...
What are Hidden Passwords?
Hidden passwords are a feature of most commercial password managers. The feature allows system administrators to change the appearance of shared read-only passwords so they display to end users as a series of dots or asterisks. While a useful feature to prevent shoulder surfing, hidden passwords should not be relied upon as a security feature. Many password managers have a password sharing capability that provides a secure and...
Five Best Practices for Corporate Password Management
Yubico´s State of Password Management and Authentication Security Behaviors Report paints a very bleak picture of corporate password management. The bleak picture mirrors multiple recent surveys which attribute the majority of data breaches to weak and compromised passwords. Statistics taken out of context can give a misleading impression of corporate password management. For example, the statistic that 80% of data breaches are...
WhatsApp Voicemail Phishing Campaign Distributes Information Stealing Malware
A new WhatsApp phishing campaign has been identified by researchers at Armorblox that has been sent to at least 27,655 email addresses. The emails impersonate WhatsApp and relate to the voice message feature of the instant messaging app to get recipients of the messages to install information-stealing malware. The malware targets passwords stored in browsers and applications, steals cryptocurrency wallets, and can be used to...
Three Steps for Securing Your Password Manager
Considering that your password manager contains “the keys to the kingdom”, securing your password manager should be a priority in order to prevent unauthorized third parties accessing your login credentials, payment details, and other personal data you want to keep confidential. Password managers are incredibly useful for people who understand the importance of using unique, complex passwords for each online account. They enable you...
Time for A Rethink on Your Password Policies
If you own a business, you will appreciate the need to close all your windows and lock your doors when you finish work for the night. Leave anything open and you are asking for trouble. Someone will come along in the dead of night, access your premises, and will steal everything of value. The same is true in the digital world. Everything must be protected because if you leave anything open, your digital assets will be stolen. In order...
Why Personal Password Vaults are an Important Security Feature of Business Password Managers
When an organization implements a business-wide, vault-based password manager, personal password vaults can be seen as “a nice thing to have” rather than an important security feature. However, personal vaults can do a lot more to enhance security than they are given credit for. When organizations evaluate vault-based business password managers, it is understandable they prioritize security features such as zero knowledge encryption,...
Thursday 31st March is World Backup Day
There are numerous “cybersecurity holidays” throughout the year, but none are as important as World Backup Day on Thursday – a day dedicated to encouraging individuals and businesses around the world to back up data. How often do you back up your data? Daily? Weekly? Monthly? Less Frequently? Never? If you back up your data daily, weekly, or monthly, you are in the minority according to a survey commissioned by the cloud backup...
Feds Issue Security Alert About MFA Bypass and Vulnerability Exploitation
State-sponsored Russian hackers have bypassed multi-factor authentication and exploited the PrintNightmare vulnerability in an attack on a non-governmental organization (NGO), according to a recent security alert from the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA). The attack in question occurred in May 2021. The hackers gained a foothold in the network in a brute force attack and...
Why an 8-Character Password is No Longer Long Enough
Passwords need to be unique and complex to resist brute force attacks by cybercriminals, but how long does it take a hacker to guess a password? Even if the password is complex if it does not contain enough characters it can be guessed in seconds. Why Complex Passwords are Required When passwords are required, there are usually policies applied that require passwords to contain a minimum number of characters and meet minimum...
Survey Highlights Struggles Companies Have with User-Friendly Access Management
The password manager provider LastPass has recently published the findings of an IDC Global Survey on Identity and Access Management that has revealed many businesses are struggling to strike a balance between security and the user experience. Passwordless authentication is gaining traction, but passwords remain the primary way of preventing unauthorized account access. Password guidelines require passwords to be set that are of...
Think Password Strength Rather Than Password Length
Some people believe that password strength is dependent on password length, and the longer a password is, the harder it is for bad actors to guess or crack using brute force algorithms. While this may be true for complex, machine-generated passwords, it is not true in all cases. Indeed, some longer passwords can be easier to crack than passwords half their length. Although password length is a contributory factor to password strength,...
Recommended Password Manager Capabilities for SOC 2 Audits
An SOC 2 certification is a valuable attestation for businesses such as cloud service providers, software providers, web marketing companies, and financial services organizations, as it certifies the business has acceptable controls in place to address risks associated with the use of their systems and/or services. In order to achieve SOC 2 certification, businesses have to pass an SOC 2 audit conducted by an accredited representative...
A Brief Guide to Two Step Login
Two step login is a security process used by many websites and apps to prevent unauthorized access to online accounts containing sensitive data. Also known as Two Factor Authentication (2FA), Multi Factor Authentication (MFA), or Two Step Verification (2SV), the security process requires you to enter something you know (usually a username and password), and an additional verification code sent to – or generated by – a secondary...
Poor Cybersecurity Practices Put Organizations’ Security at Risk
A recent survey commissioned by Mobile Mentor has revealed poor cybersecurity practices are commonplace working in highly regulated industries and those bad practices are a major threat to security. The survey was conducted by the Center for Generational Kinetics on 1,000 employees in the United States and 500 in Australia, all of whom worked in healthcare, education, finance, or the government. The study examined the endpoint...