Passwords Archives – Gridinsoft Blog

How To Securely Store Passwords

Stephanie Adlam — Tue, 05 Jul 2022 08:54:05 +0000

How To Securely Store Passwords

This article is about how to manage passwords and properly protect , and not to lose them at the most inopportune moment. Internet users no longer know how to spend their day without social networking, online shopping, developing their business on online platforms, and more. To do this on a confidential level, you need a login and password that will only be yours and other users will not be able to access your device or account. So, how to save passwords?

But how to generate and memorize dozens of password combinations and not forget them? After all, each platform requires a complex password, which in the future will become a big obstacle to perceived threats from intruders. Below we will look at how to protect your passwords and not forget them at the time you need them.

Why is it Important to Securely Store Your Passwords?

Protect all your saved passwords, learn the features, steps and best practices. Attackers are always set to steal your data and to do this develop hundreds of methods. You need to follow several rules in storing your passwords. In this way, you will be able to protect yourself from perceived threats. Below is a list of those threats, in the case of a successful attack by a hacker.

Identity theft – will lead you to bad consequences. Such as loss of access to credit cards, manipulation of other users on your behalf, theft of your insurance data, the mess in your accounts, and other consequences.
Account takeover– may cost you friendship or work. Because while you are trying to recover your account, an attacker will be able to send SMS from your email or compromise other users from your name to install malware and more.
Financial loss– At this stage, you can lose funds from your cards, take credit on your name, and provide you with many problems with the bank.

All of the above can be avoided if you keep your logins and stored passwords correctly.

Best Way to Store Passwords

There is more than one way to secure your stored passwords. These are both free and paid security options. You can add a task manager on your PC, a password manager, and more to the list of such functions. So what are the best ways to manage passwords?

Browser password managers: If you are using Firefox, Chrome, Safari and other browsers, the following topic will not surprise you. When using any of these browsers, you can configure it to ask you if you want to save your password every time you log in. Well, there is an option to configure automatic login. But here you decide what to choose. But with all these seemingly convenient configuration functions there are pros and cons:

Pros:

Convenient
Fast
Free

Cons:

Only works on one browser
Fewer password generator options

Password manager applications: Password management apps are a great alternative to using features to save passwords in your browser. Now let’s understand what are the pros and cons of this option of storing passwords.

Pros:

Best place to store passwords
Get custom strong passwords
May to offer a free plan

Cons:

Takes time to find the right one
May be glitchy
Requires a master password

Best App to Store Passwords

Below we consider the most common list of convenient password management applications:

Dashlane: This app provides a free plan for one device, but you can also use it for multiple devices for free. If you need a family plan, then this app is for you. It offers six bonus plans that can be tied under one account.
RememBear: Helps you track passwords with a free plan for one device. If you want to connect multiple devices with backup and synchronization, then the paid premium plan will do just fine.
Bitwarden: An app that has both free and paid premium plans for specific individuals or companies. With this app, you can generate passwords for free, as well as synchronize passwords between devices.
LastPass: If you need an app that will generate passwords for one device for free then LastPass is for you. It is also able to provide you with encrypted file storage for multiple applications, a family plan through a paid premium plan.
Keeper: In the offers of this application you can find: business plans for students, paid plans, and family.

Most Unsecure Ways to Store Your Passwords

We looked at the safest and most convenient ways to store passwords. Now let’s move on to the topic of unsafe ways to store passwords. Before you want to organize your passwords and save them correctly, you need to delete the following items from the list:

Keeping passwords in documents: If you think you can bypass a hacker and hide your passwords from Word documents, do not be deceived. With the keylogger, it’s easy for an attacker to intercept your passwords.
Paper note: This is certainly a good way to hide the password from the hacker, then you are still surrounded by people. At work, at home, or in some other institution, your paper notes may fall into the hands of the staff, the robber, or some other person.
App “Notes” on your phone: If your phone is not protected by a secure password, then any user can open notes on your phone and extract all the necessary information for themselves.
E-mail: If you have ever sent yourself an email with your password to your mail, then do not repeat it. This is not the most reliable way. Because in the event of your email being hacked, it will be easy for the attacker to find your password, which you keep there.

After the information is provided, you will not be able to get into trouble with the theft of passwords. Be always vigilant about your confidential information. This depends on a lot of factors. With the above-mentioned ways of storing passwords, your accounts will be secure.

The post How To Securely Store Passwords appeared first on Gridinsoft Blog.

Is It Safe to Use a Password Manager in 2022?

Stephanie Adlam — Fri, 10 Jun 2022 18:26:48 +0000

What’s the Idea Behind Password Managers?

In the cybersecurity world, everyone knows that passwords are real. It’s only in the movies hackers can effortlessly detour or hack passwords. A strong password provides decent data protection.

Since an average internet user nowadays has many accounts on different online services, remembering passwords becomes a serious nuisance. Using services other than social media or email becomes inseparable from a boring “forgot password” procedure.

Interface of Dashlane. one of the most trusted and popular password managers.

To stop these work process disruptions and at the same time improve data security, people invented password managers. Are they secure, and should you use them? That’s what this post is about.

Is it Safe to use Password Managers?

The programs in question store passwords from different accounts and automatically fill them into the respective websites’ log-in forms. They also generate strong passwords for each account, saving the user the trouble of doing it. Thus, clients keep all their extremely strong passwords in one box and benefit from forms auto-filling. That does not sound secure at all, you might say, and you would be surely right. If not for certain security measures in password managers, the disputed services would rather jeopardize passwords than manage them wisely. Having all keys collected together without proper protection would make them easy prey.

However, there are high-end programs among password managers that feature security mechanisms making digital fortresses out of them. That doesn’t mean that all safety issues are solved, that is not so (we’ll talk about that further,) but in most cases, a password manager can be helpful and handy.

Security Features

The first thing that must be said is that password managers use the so-called zero-knowledge architecture. That means no person except you know your passwords stored in the password manager’s vault. The manager doesn’t “know” them either because all the passwords are encrypted and protected by the master password, which is not stored in the vault. You know it, and it belongs to you.
By the way, the vault is cloud storage. Any connection between your PC and the cloud is encrypted. It is called end-to-end encryption. We have described how such encryption works in our post on SSL certificates. The principle for establishing secure connections is the same – a combination of asymmetric and symmetric encryption. Briefly speaking, should hackers even get the data stored on password manager’s cloud servers, they won’t be able to do anything with it.

Asymmetric encryption is the key to safe encrypted connections in modern communications.

Surely, password managers will audit your credentials, change them regularly, warn you about any weaknesses in your password-login combinations, and so on.
Logging into the manager program can be accompanied by two-factor authentication to make it as secure as possible. 2FA means you will confirm your identity via another device as you log in and enter your master password.
Although data breaches are unlikely and pointless since there is end-to-end encryption, some password manager manufacturers monitor the Internet to detect any leakages or breaches if they happen, to inform users about them ASAP.

If you make up your mind to purchase a password manager, make sure the program you have chosen supports the features mentioned above.

Can Password Manager Still be Hacked?

Master Password – the Key to the Kingdom

Theoretically, a password manager hack is possible, although extremely unlikely. Moreover, the target of such an attack will definitely not be the cipher used in the vault itself. Attackers will need your master password, the code that will open the chest with the rest of your keys from different accounts. Most likely, hackers will seek a vulnerability in your habits and use social engineering. By the way, they may try to get your password out of you, posing as the developers of your password manager.

Making Your Master Password Strong

Therefore, we will still have to briefly say here that for a password to be strong, it must be composed of numbers, letters of both cases, and special characters. And, of course, it must be a long sequence of characters (at least twelve.) In addition, the password should not be based on some word with meaning because criminals often go for spear attacks. Those are personalized attacks; when they know something about the victim. Accordingly, neither names nor anyone’s dates of birth should appear in the password. Understandably, no one shouldF be given the key from the password manager. By the way, consider reading the guide to creating strong passwords on our blog.

What About Malware

But that’s not all, because we should not forget about malicious programs. If we just assumed that hackers might be trying to crack your password using brute force, then we need to know that they can go the easier way. They can infect your device with spyware! Moreover, we don’t mean spyware that collects some data in the background while you are browsing the network. No, now we are talking about the most dangerous programs, which are sometimes also classified as spyware, namely keyloggers and screen loggers. The first ones capture keystrokes, while the second ones send everything that happens on your screen somewhere to the attackers’ server. If you use a virtual keyboard, the keylogger is not dangerous for you, but there is still no way against the screen logger.

Both these programs can be hidden from human eyes with the help of a rootkit – another powerful hacker tool. Such programs on your computer would indicate that it has been at risk all this time.

Security Solutions

However, to prevent malware from penetrating your device, and to remove it, should it infect your machine, there are antiviruses, such as GridinSoft Anti-Malware. It is a great program that has three types of protection. On-run protection, deep scanning, and browsing protection are also very important. The first function destroys the infection on approach. The second one, scan, will help you find well-hidden malware. The last feature mentioned is blocking and warning about malicious sites.

Unquestionable Benefits of Password Managers

Although we can never rule out the above-mentioned threats, they are unlikely to happen. If we discard them, we will have to admit that password managers possess some unquestionable benefits for the user. At least in comparison with the password policy of an average Internet user.

Increased security! Undoubtedly, the machine generates strong passwords better than humans, and the program makes them unrelated to any meaning. Also, manager software stores your credentials flawlessly, keeping them protected with the highest level of security. A 256-bit AES encryption is no joke; we can count it unbreakable, at least for today.
Password managers matchless ease browsing and Internet activities. On the one hand, your data becomes more protected. On the other hand, all this password-related fuss leaves you with a boring dream. You don’t need to invent passwords. Note them somewhere, just in case, forget them later, and reset them to access your account.
Password managers are an effective countermeasure against phishing and, more specifically, website spoofing. A well-made fake website can catch even an experienced user off guard. Imagine you run onto a typo-squatting webpage that looks just like a website you intended to visit. You haven’t noticed your typo, and as the site fully loads, you see the familiar appearance of the sign-in form. There is a high chance that the user here would notice no pitfall, let alone if tired, and input the login and the password right into the password-stealing form prepared by malefactors. However, a problem for a human is not a problem for a machine at all. You will notice if your password manager suddenly refuses to fill out the credentials form automatically. And it won’t, of course, if the website address is different, even if it is a one-character difference.

The post Is It Safe to Use a Password Manager in 2022? appeared first on Gridinsoft Blog.

TOP 7 Types of Password Attacks

Stephanie Adlam — Mon, 06 Jun 2022 11:17:15 +0000

What is a Password Attack?

In the beginning, you probably already understood from the name what these attacks are and what they are aimed at. It is resistance against someone or something. Password attacks that are aimed at damaging accounts. They are programmed to cheat the authentication process to get into the account. After that, the attackers who control these attacks spread their malicious software or steal confidential data from victims’ accounts.

Types of Password Attacks

In this article, we will look at several types of password attacks, their working principle, and their main purpose. Also, consider methods of warning against them.

Dictionary Password Attacks
Brute-Force Password Attacks
Phishing Attacks
Man-in-the-Middle
Password Spraying Attack
Keylogger
Traffic Interception

Dictionary Password Attacks

This is a crude kind of attack through which an attacker works. Because he’s here to pick the most common passwords and try them out for multiple accounts. Also, take into account the dictionaries of the most common passwords and use them. This list of passwords can include the names of your relatives, the names of the dogs, the number, and the year of your birth. What can I do to warn myself against this?

Never write your passwords from the dictionary. This increases the level of a claim for you and gives more opportunities to the attacker.
Lock your account after some number of attempts, it can be two or five attempts but no more.
Use the password manager. With it, you can prevent dictionary attacks because it generates complex passwords.

Brute-Force Password Attacks

Attackers use many combinations of passwords and try to use them when entering victims’ accounts. This method is slightly outdated because it is time-consuming and long, but it is standard and one of the most common. There are several types of this attack. Consider the below:

Simple brute force attacks. In this case, the attacker controls logic. To guess the user’s password, he calculates possible variants and combinations based on knowledge and user. It could be the names of the family, the names of the dogs, and the children’s birthdays.
Credential stuffing. In this case, the attacker receives open passwords from vulnerable sites, through which the user has previously logged on to the system.
Hybrid brute force attacks. This method involves simply selecting a weak password with automated software that uses account substitution to reveal complex passwords. Organizations use a small number of variants in most derivative systems. Attackers also use user data templates to populate credential tools more accurately.
Reverse brute force attacks. This method involves searching for shared passwords in the system. The attacker tries to find a common group where shared passwords are written and tries to log into accounts through these passwords.

Phishing Attacks

Phishing¹ is aimed at stealing sensitive data through fraud. Through emails, the attacker attempts to compromise the user’s ability to give his data to him. Intruders often use manipulation, extortion, deception, pressure on the user, and other insidious ways to get the user to hand over his bank accounts, account passwords, credit cards, and other confidential data. Examples of phishing attacks you can see below:

Regular phishing. In this case, the hacker masquerades as someone else’s company and fakes the sender’s address bar under it. And then you see the line with a glimpse, and you think it’s a legitimate company – you send them what they want you to. So the conclusion- read the sender’s address bar carefully, because under the wrong address can be a fraudster.
Spear phishing. Here, the hacker pretends to be your friend or colleague and asks you to send him something in the mail. If you think this is strange, you didn’t expect such a request from this person, then you better call him back and ask him if he sent it to you directly. Do you know the difference between phishing and spear phishing?
Smishing and vishing. The attacker works via phone call or text message at this stage. In such texts or calls, intruders warn you about possible hacking or fraud and ask you to switch to an account to eliminate it. You go and lose your data because hackers steal it. Infer-look at the numbers from which you get something.
Whaling. Here, the attacker works as if from a high-ranking person. He is writing on this behalf some message asking you to send you confidential data – you send and lose all your privacy.

Man-in-the-Middle Attack

In this type, the attacker is a third party. It decrypts passwords and messages that are transmitted between users. The attacker intercepts these messages. In this case, he can be called an intermediary. To do this, a hacker uses unprotected communication channels. How to avoid man-in-the-middle attack? How not to give all your information to the attacker?

Enable encryption on your router. If your computer can be accessed so easily, then it doesn’t have the proper encryption. And most likely, the person who can do that is using the technology “sniffer”.
Use strong credentials and two-factor authentication. To prevent an attacker from redirecting all your traffic to his or her hacked servers, you should change your router credentials from time to time.
Use a VPN. A VPN can protect your data from man-in-the-middle attacks. It can also provide you with all the guarantees that all the data sent to the servers are in a secure location.

Password Spraying Attack

This attack focuses on password theft. The process is this: the attacker selects several passwords and sprays on many user accounts. These passwords are taken with password dictionaries. Also, they can be the most common combinations such as password1, qwerty, 1111, and other standard passwords. The attackers think of every move and try to bypass the blocking system so that after some attempts, the account will not be blocked. Password spraying – quite careless, a rough form of attack. After several attempts to log in, the site begins to block the entrance.

Keylogger

The Attacker tries to install monitoring tools on the user’s computer and makes a secret key recording. The information is recorded via a keylogger and then passed to the attacker. Generally, the keylogger is used with good intentions to monitor employees and improve UX, but even here the attackers have learned to turn it for their evil intentions.

Traffic Interception

This type of attack involves intercepting network traffic for data collection and monitoring. The most common way to do this is with connections that do not use encryption. Most often, these can be Wi-Fi connections. Therefore, learn how to use public Wi-Fi safely: risks to watch out for. This attack comes under SSL – traffic that the attacker intercepts through an attempt to connect to a secure website.

How to Prevent Password Attacks

Our data is a part of our life, everyone, and we would not like any hackers to use it against us for their own good and desire for financial gain. Below we will give some tips on how to avoid or prevent an attack by an intruder:

Enforce strong password policies. To begin with, your passwords must be created correctly and securely. The number of characters should be at least 8, and the password itself should use not only letters or numbers but also capital letters and the inclusion of special characters. Your password must not contain any confidential information about you.
Organization-wide password security training. A crowded organization must notify its employees of suspected attacks and precautions. Therefore, employees should be aware of the creation of strong passwords and social engineering, through which disguised intruders can attack.
Enable Multi-Factor Authentication. Multi-factor authentication provides a more reliable security system. It provides additional security measures for the use of passwords.
Use a password manager. Password Manager is designed to help web administrators store and manage user credentials. This method will also help you generate a complex and strong password according to your security policy. Data is more protected from data leakage, as user credentials are stored in encrypted databases.

The post TOP 7 Types of Password Attacks appeared first on Gridinsoft Blog.

Use Strong Passwords to Can’t be Hacked

Stephanie Adlam — Wed, 27 Apr 2022 20:23:14 +0000

A password to an internet service account, social media profile, computer, or mobile phone is perceived nowadays as something undividable from information technology in general. As narrow checkpoints to whatever lies beyond them, passwords inevitably attract the attention of hackers.

In this article, we recall the biggest password danger and give tips on how to think up a strong password, protect yourself from password stealers, and not become a victim of a password-related scam. Spoiler: you can’t overestimate a strong password!

Tips that Help to Create Strong Passwords

Passwords are the first data protection measure against hackers and malware, so users should not take them as a formality. The stronger the password guarding your Internet accounts is, the safer your valuable information will be. Users often think that a password is an outdated defense, and if hackers want to break it, they will always find a way to do it. But that is such an ignorant thing to think!

Have a unique password for each of your accounts. The email account password should not be your banking account password. If evildoers manage to grab one of your passwords anyhow, they will try to apply it everywhere. However, the rest of your accounts should be impenetrable.
A strong password consists of digits, upper-case and lower-case letters, and special symbols. It should also be at least eight characters long. The time difference between brute-force attacks on a weak and strong password is astonishing. An instant against eons.
Use anything but your data. No names, dates, favorite colors, or literary characters. Password breakers research their victims, and if they approach your password, they will most likely be already armed with information about you. Don’t ease their work!
Make sure you don’t use consecutive keyboard combinations like “qwerty.” These can be cracked very quickly. Also, mind that people tend to make very predictable keyboard strokes when trying to type something “random.”
Don’t be too lazy to log out whenever you leave your computer or portable device, especially if it is about your workplace device. Besides, don’t forget about the possibility of signing out from accounts on all devices remotely.

Avoid this in Creating a Strong Password

Of course, cybercriminals might try to hack your password, but there is no guarantee they will succeed. It will take a password cracking program less than a second to break a password like “qwerty”, needless to say about “123”. But the same software will be busy over an 18-character code with letters of both cases, numbers, and special symbols for more than a quadrillion years. The point of maintaining strong passwords is to make a brute-force attack impractical.

Avoid inputting your passwords on questionable machines that you don’t control. The threat is the possible presence of password-stealing or keylogging malware described above. If you had to do it anyway, change that password as soon as possible.
The same goes for unsecured wireless networks. The hacking attack via a compromised Wi-Fi is called “man-in-the-middle,” It is fraught with stolen passwords and other credentials.
Don’t tell your password to anyone, even friends. Never share what you wouldn’t like your enemy to know with a friend. And that is not because your friends are wrong.
Change your passwords from time to time. People hate doing that, but all safety precautions seem excessive until found saving. Disagree when a browser offers you to store your passwords. Always select “never.”
Try not to write your password on paper at your workplace. Someone might find it, and chances are high – somebody will. Remember, people think they are safe because they consider themselves uninteresting to crooks. But that is not always so.

Cyber Criminals Hack Passwords

Use a two-factor-authentication! Google has made it obligatory for its accounts, and that is good! It is reasonable to activate it on all accounts where it is possible. You will need to confirm your identity by clicking one button on your mobile phone as you or someone else is trying to access your account.

Phishing attacks

Phishing is one of the most dangerous attacks in terms of password protection for one simple reason – they don’t imply breaking passwords. Phishing doesn’t even need malware! A successful phishing campaign is sheer deception and social engineering.

Victims themselves deliver their credentials to the frauds, mistaking them for someone legitimate. However, since you are reading this, you will hopefully know that unexpected letters, even more so – attachments to them or links inside, are something to be careful with. The topics of such letters are:

Often a delivery that is waiting for you.
A money transfer.
Something tempting like a sudden lottery win.

Often criminals offer their victims to confirm their passwords on a seemingly trustworthy website (like Facebook) that turns out to be a spoofed web page. The login and password entered into the form on that site go straight to the crooks.

Form-Grabbing

While phishing usually uses fake websites, hackers can intercept the data of any actual sign-in form. That is possible with the help of a form-grabber, a Trojan-delivered malware that runs on the victim’s machine. It does not mess up the user’s communication with the website, but the form data is copied and delivered to the crooks.

Like any other malware¹, form-grabbers end up on victims’ computers via common routes: dubious websites, questionable downloads, and unexpected emails and messages with attached files. Security programs like GridinSoft Anti-Malware are good at detecting and removing this class of malware.

Brute Force Attack

Exhaustive search (or brute-force search) systematically checks all possible keys to the problem until the solution is found. Its effectiveness is undeniable. If the key consists of four digits, a person will have spent a lot of time checking all the variants between 0000 and 9999. A modern computer will do the job in less than a second, giving an obvious advantage over the human.

But what if the password is a 24-character word that includes letters, capital letters, digits, and special symbols? Brute force is useless here as it will take years to break such a password. Brute-force search effectiveness can be heightened considerably by lists of candidate solutions. Dictionary attacks are a form of such assistance.

Dictionary Attack

A brute force attack is an ideal procedure that will potentially break any defense. Dictionary attacks combine brute force features, namely the automatic picking process, with algorithms that operate with the supposed vocabulary of a person who is believed to be the one who thought up the password. If you set a goal to create a strong, randomly formed password, you will succeed, of course. But people rarely do that.

NOTE: Password counter services put Internet users at risk. Change your password to a more secure one immediately!

Password choice is usually determined. The basis of the password is often a word, a name, or a date that means something to the victim. People tend to add some digits to that word for show. Adding special symbols is too much for the average practice.

Understandably, if the malefactors possess the names of the victim’s family members, their dates of birth, and other information, they can use only the variations of these words and numbers. If that works – the password will succumb much earlier.

Keylogger Malware Attack

Keyloggers² are a type of malware. Such programs can be injected into the victim system as Trojans. As a keylogger runs, it records every key pressed by the user and sends these records to the hackers who introduced the keylogger into the victim’s device. It is easy to harvest passwords from such logs after that.

What can limit the effectiveness of a keylogger is the usage of a virtual keyboard (who would do that, though,) password manager, and of course, anti-malware software.

Password Stealer

Password stealer is Trojan-related malware capable of extracting saved passwords from programs that store them for users’ convenience, like web browsers, for example. Google Chrome keeps passwords on the users’ cloud accounts, but some browsers still store passwords on the machine serving as local password managers. Stealers are pretty detectable, and GridinSoft Anti-Malware, for example, has no problem quarantining them instantly. You should learn and understand the need to change the default password of any network device to a strong one.

Data Breach Attack

Eventually, hackers can steal passwords to Internet services otherwise. If the servers belonging to the service in question are breached, the malefactors might get access to their user’s passwords. It is hardly possible to oppose anything to such a threat; however, large companies have efficient data protection systems, so it is reasonable to trust them.

Malware Takes my Passwords?

Strong passwords are a must-have basis for data security. However, some harmful programs and malicious hacker techniques are designed not to break your password but to steal or detour it. Here are examples of well-known password-stealing malware.

IMPORTANT INFORMATION: Spam emails are still the most popular way for viruses to spread. Smoke Loader – password stealing malware just added a new way to infect your PC.

RedLine stealer is a malware-as-a-service product sold on hacker black markets. After it is purchased, it is distributed as a Trojan. For example, there were cases of Redline being disguised as a Windows 11 update. When it is infiltrated into the victim’s machine, the malware behaves like a versatile stealer of passwords and other credentials.

The notorious email spread virus “I love you,” which led to the shutdown of email servers worldwide back in 2000, also contained a password-stealing Trojan that grabbed passwords from the compromised systems and sent them to the server in the Philippines.

A Few More Words on Malware

As for the most recent events, in March 2022, more than 100,000 Android users have suffered from a Facestealer – a password-stealing malware that masks itself under the Craftsart Cartoon Photo Tools application.

Understandably, a stolen password is no fun. It may lead to information theft, digital vandalism, fraud, and identity theft as an apogee of the event’s vile impact. Protection against password-stealing malware is no less important than having strong passwords.

The post Use Strong Passwords to Can’t be Hacked appeared first on Gridinsoft Blog.

The researcher found that every 142nd password is “123456”

Vladimir Krasnogolovy — Thu, 02 Jul 2020 16:29:34 +0000

Ata Hakçıl, a Turkish student and independent researcher, has done a great job examining over a billion different usernames and passwords. The researcher found that every 142nd password is “123456”.

He collected such a huge dump for analysis from open sources: all this data was once “leaked” to the network after various information security incidents.

Such dumps have been accumulating on the network for more than a dozen years, and their number only grows as new companies break into. Finding them is not difficult at all – such collections of credentials are available on GitHub and GitLab, are freely distributed on hacker forums, through file sharing apps and so on.

It is also worth noting that large companies have long been collecting such dumps in order to warn their users about the danger. For example, Google, Microsoft and Apple use leaked logins and passwords to create their own warning systems that inform people when they use a weak or already compromised password.

“In a huge collection he managed to find 168,919,919 unique passwords and, as it turned out, more than 7,000,000 of them are the password “123456 ”(every one hundred forty-second password),” – writes Hakçil.

Specialists have long been warning that the 123456 sequence is the most used password in the world and has been leading with a wide margin for at least five years. Also recall that according to Researchers from Carnegie Mellon University, users seldom change passwords even after data leaks.

The researcher also estimated that the average password length is 9.48 characters, although information security experts usually recommend using longer passwords (from 16 to 24 characters). Password complexity was also a problem, since only 12% of the total number of passwords contain at least one special character.

Worse, in the vast majority of cases, users choose the simplest passwords: use only letters (29%) or only numbers (13%). In fact, this means that approximately 42% of all passwords are vulnerable to commonplace dictionary attacks and brute force.

Other interesting findings from the Hakçıl report:

out of 1,000,000,000+ studied lines, 257,669,588 were filtered out as damaged;
In fact, a billion credentials contained only 168,919,919 unique passwords and 393,386,953 usernames;
the most common password is “123456”, it occurs in approximately 0.722% of cases;
The 1000 OF most common passwords is approximately 6.607% of all learned passwords;
The average password length is 9.4822 characters;
only 12.04% of passwords contain special characters;
8.79% of passwords contain only letters;
26.16% of passwords contain lowercase characters only;
13.37% of passwords contain only numbers;
34.41% of all passwords end with numbers, but only 4.522% of passwords begin with numbers.

The post The researcher found that every 142nd password is “123456” appeared first on Gridinsoft Blog.

Users seldom change passwords even after data leaks

Vladimir Krasnogolovy — Wed, 03 Jun 2020 16:19:03 +0000

Researchers from Carnegie Mellon University found that users seldom change passwords even after receiving data leakage messages. Scientists estimate that only a third of users actually update access to their sensitive data after being compromised.

Interestingly, this report, presented as part of the IEEE 2020 Workshop on Technology and Consumer Protection, is based not on survey data, but on actual browser traffic.

Experts examined the real traffic collected through the University Security Behavior Observatory, a research group, which users voluntarily enter and share the full browser history for academic research.

“The data for this analysis was collected from the home computers of 249 experiment participants for the period from January 2017 to December 2018. The information included not only web traffic, but also passwords stored in the browser”,- said the researchers.

As it turned out, of 249 users, only 63 had accounts on various hacked domains (those companies that publicly announced hacking and data leakage were taken into account).

Of these 63 users, only 21 (33%) visited hacked sites to change the password, and of these 21 only 15 users changed their passwords within three months after the announcement of compromise.

In total, 23 passwords were changed on the above domains. So, among the experiment participants who changed their passwords, there were only 18 Yahoo! users; 31 more Yahoo! users (out of 49 in total) did not change their passwords, although everyone suffered from a data leak. 2 more users changed their passwords from Yahoo! twice, once after each report of compromise. 2 users changed their passwords on the hacked domain within one month after the hacking announcement, 5 people changed their passwords after two months and 8 people after three months.

Hence among other things, the researchers collected data on the passwords of the participants in the experiment, the team was able to analyze the complexity of their new passwords.

“Among the users who changed the passwords (21 people in total), only a third (9 people) changed them to more reliable ones. The remaining members of the control group came up with weaker passwords or passwords of a similar strength. As a rule, new passwords were created either by reusing sequences of characters from the previous password, or people simply changed the password to a different one, but already used for other accounts and also stored in the browser”, — said researchers from Carnegie Mellon University.

Experts say that hacked services themselves are responsible for issues with passwords, since they “almost never explain to people that they still need to reset similar and identical passwords for other accounts.”

By the way, turning to password managers is not an option – I recently wrote that experts have discovered vulnerabilities in popular password managers. And, by the way, it’s better not to check the password complexity on the Internet either, since, according to research, password meter services put Internet users at risk.

The post Users seldom change passwords even after data leaks appeared first on Gridinsoft Blog.

Experts have discovered vulnerabilities in popular password managers

Vladimir Krasnogolovy — Thu, 26 Mar 2020 16:05:20 +0000

Experts from York University explained how they managed to detect vulnerabilities in popular password managers. Bugs allowed malware stealing user credentials.

It turned out that back in 2017, researchers analyzed five popular password managers: LastPass, Dashlane, Keeper, 1Password and RoboForm. The analysis helped identify four previously unknown vulnerabilities, including one that led to the disclosure of credentials.

Therefore, the most serious of the detected problems allowed the malicious application to impersonate a legitimate program and trick the password manager into revealing the stored credentials. Experts did not risk talking about their research before, as they considered it too dangerous.

“The main problem affected the Android applications 1Password and LastPass, which were recognized as vulnerable to phishing attacks, as it was very strange to determine which saved credentials to offer for autocomplete. In fact, a malicious application could pretend to be legitimate simply by using an identical name”, – write the experts.

So, the researchers created a PoC application that successfully attacked LastPass (and could do the same with 1Password). This application had a login screen designed to mimic the official Google login screen, and therefore was difficult to distinguish from the real one. As a result, LastPass offered for this fake auto-complete with Google credentials.

At the same time, experts note that the attack had a number of obvious limitations: the malicious application must be installed on the victim’s device, and the victim herself must use vulnerable password managers and autocomplete, and also have credentials for the target application stored in encrypted storage.

Another vulnerability that researchers found in all of the password managers listed above (with the exception of 1Password) was that they did not provide sufficient protection for the credentials copied to the clipboard. In particular, in Windows 10, credentials could be pasted from the clipboard in plain text, even if the computer is locked. According to experts, to protect against such attacks, password managers should be able automatically clear the clipboard after a certain time.

Although some password managers allow users to protect their password store with a four-digit PIN code, experts write that RoboForm and Dashlane applications did not have a counter of the number of incorrect attempts to enter this code. That is, an attacker could sequentially enter two PIN codes, then remove the application from the list of recently used ones and try two more PIN codes. Even if an attacker enters PIN codes manually, he can still pick up a PIN code in an average of 2.5 hours.

“We did not fully automate this attack, but we believe that in the case of an automated attack, PIN retrieval will take significantly less time”, — experts write

Researchers contacted the developers of the tested password managers back in 2018. It is reported that five vendors responded to their requests and listened to warnings, but patches were not issued for all detected problems, as many of the vulnerabilities found were given a low priority.

Let me remind you that the popular password meter services put Internet users at risk. So, it remains only to remember passwords, right? )

The post Experts have discovered vulnerabilities in popular password managers appeared first on Gridinsoft Blog.

Password meter services put Internet users at risk

Vladimir Krasnogolovy — Fri, 20 Dec 2019 16:14:20 +0000

Password meter services, implemented on many popular platforms, can be misleading, thereby putting users at risk of cyberattacks.

During the holiday season, hundreds of millions of people will receive gadgets as gifts or use their devices to buy them. The minimum they have to ensure is that their data will be safe. The key to security is a strong password.

A study by the University of Plymouth assessed the effectiveness of 16 password meters that people are likely to use or encounter on a regular basis.

“The main focus was dedicated on password meter websites, but the study also sought to assess those embedded in some common online services (including Dropbox and Reddit) and those found as standard on some of our devices”, — say researchers from University of Plymouth.

As part of the study, scientists tested the effectiveness of the 16 most common password meters using 16 passwords, 10 of which were included in the list of worst passwords (including ‘password’ and ‘123456’). Of the dozen weak passwords, only five were regarded as such by all tested meters, while the rest, for example, ‘Password1!’, were considered reliable by services.

The situation with passwords generated by browsers is different – all services rated them as reliable, experts note. They also noticed a difference in recommendations on different sites. For example, some services recommended users to use stronger passwords for accounts, while others quietly allowed passwords such as ‘abc123’, ‘qwertyuiop’ and ‘iloveyou’ (all of them appear in the list of the worst passwords in 2019, presented by NordPass).

“Password strength meters alone are a good idea, you just need to use the correct one […] It should also be remembered that in practice, regardless of the meter’s assessment, many systems and sites will still accept weak passwords without offering any recommendations on how to make the best choice”, – said Steve Furnell, professor at Plymouth University.

Recall that in February of this year, Google released the Password Checkup extension for the Chrome browser, which alerts users if their credentials were found in past leaks and offers to change the password, and in October Google Password Manager introduced the function of checking password security in Password Manager.

Change your password urgently to a more secure one (and better not use Password meters yet), besides Check Point experts named the most dangerous malware of November 2019. On the eve of the holidays, do not forget about information security!

Appendix:

List of the Top-20 worst passwords by NordPass (just in case ;-))

12345
123456
123456789
test1
password
12345678
zinch
g_czechout
asdf
qwerty
1234567890
1234567
Aa123456.
iloveyou
1234
abc123
111111
123123
dubsmash
test

The post Password meter services put Internet users at risk appeared first on Gridinsoft Blog.