Password News


Q3 2017 — sponsored by Thycotic — provides chief information security officers (CISOs) and IT security teams with a quarterly diary of noteworthy security issues with passwords ranging from stolen credentials to purchasing stolen passwords on the black market.


Give passwords the finger?

Biometrics, cryptographic keys, and micro-chipping aim to replace passwords

kacyzurkusbwKacy Zurkus

Menlo Park, Calif. – Oct. 3, 2017

The third quarter saw many stories about passwords. Are they good or bad? Strong or weak? Short or long? Are biometrics going to replace them? One thing is for sure, there’s plenty of debate.

A report published by Cybersecurity Ventures and Thycotic earlier this year found that the total number of user and privileged accounts that will be at risk, including a combination of human and machine passwords, will surpass 300 billion passwords by 2020.

Despite a promise of a future with no passwords, users and businesses must remain vigilant in protecting their login credentials.



Sep. 28. The one day-old High Sierra macOS has a security flaw that allows some applications to access sensitive information, such as stored passwords and keys, unbeknownst to the user.

Sep. 27. Passwords used as security are vulnerable to being compromised, as are some biometric security systems (face, voice, fingerprint recognition). But the University of Buffalo is developing a heart identification biometric that reportedly can not be compromised.

Sep. 27. Deloitte, one of the world’s “big four” accounting firms, may have compromised some of the company’s blue-chip clients when hackers cracked the password on an admin account that lacked multifactor authentication.

Sep. 26. According to CynergisTek CEO Mac McMillan, “16-character complex passwords can be cracked by a hacker in less than an hour.” Multiple factor identification should replace passwords.

Sep. 25. London-based human rights NGO leader, Muhammad Rabbani, was convicted of terrorism charges for refusing to give Heathrow Airport security officials the password to access his mobile phone and laptop.

Sep. 22. Among other things, Equifax did not disclose at the time of their breach announcement that the hackers found no real security and easily accessed their system using weak passwords. “Admin” was both the username and password.

grayfooterline grayfooterline

Sep. 22. A look at user’s password habits with the primary question being, ‘Are they improving?’

Sep. 21. SVR tracking provides its customers with around-the-clock surveillance of cars just in case the vehicles are stolen or towed. Over a half million passwords to the tracking devices were leaked online.

Sep. 20. Using the same password across multiple sites increases the potential of stolen credentials. Dashlane, a password management program, alerts company administrators when their users are not complying with company password rules.

Sep. 19. Researchers from Digital Citizens Alliance learned that almost 14 million .Edu email credentials are for sale on the dark web. Addresses and passwords from faculty, staff, students, and alumni at U.S. universities are up for sale.

Sep. 17. Companies are trying to improve their security without disrupting the user experience, and many believe behavior-based authentication is likely to replace passwords.

Sep. 15. More than 388 records of Equifax user and employee endpoint data from LinkedIn and other third parties is available for sale on the dark web, including usernames, passwords, and login URLs.

Sep. 13. Keeping up with your passwords can be frustrating and time-consuming. Biometrics as a means of authentication is now becoming mainstream.

Sep. 11. Database owners forgot to set passwords on their administrative accounts, which left MongoDB open to attack. The attackers gained access to more than 26,000 servers, all of which they’ve ruined by rewriting their content with ransom demands.

Sep. 9. Though intended to be comedic, the number of people that gave up their passwords to Jimmy Kimmel is alarming, especially since this was after the Equifax breach.

Sep. 4. A blacklist of passwords was made public to show users that they do not apply proper encryption protections, and a security researcher cracked all but 116 of the 320 million ‘protected’ passwords on the list.


Aug. 30. A misconfigured spambot resulted in the leak of more than 700m email addresses and passwords.

Aug. 30. People have many misconceptions about creating better passwords, such as believing that adding an exclamation point at the end of their password will make it much stronger.

Aug. 26. Weak, guessable passwords and poor password management are at the root of many user account attacks, giving rise to the question of whether passwords will soon be a thing of the past.

Aug. 24. Most ATM users have experienced the discomfort of having a stranger standing close enough to observe a financial transaction. They can now take comfort in knowing they can protect their information as researchers have devised an app to protect PINs and passwords.

Aug. 21. For those who dream of a world without passwords and would like nothing more than to empty their wallet of all those plastic cards, microchipping may be the next-gen password.

Aug. 21. Identity thieves hijack cellphone accounts to reset the passwords on every account that uses the number as a backup.

Aug. 17. “Complexity” is out.  Length is in. There are many different ways that password creation is evolving.

RELATED: Free IT tools to help you save time and money while protecting your privileged account passwords

Aug. 17. Cryptographic video keys stored in user devices may come to replace the outdated and risky passwords commonly used.

Aug. 15. Some big online brands allow terrible passwords created by their customers. Among the brands: Uber, Spotify, Walmart, and Macy’s.

Aug. 14. New NIST guidelines make password creation simpler. Changing them regularly and using different passwords for each app are just some of the steps to creating stronger passwords.

Aug. 14. Too many passwords and rules to follow in creating them has many users overwhelmed. If you have a password manager, there is only one password you need to remember.

Aug. 13. Strong password management and two-step authentication help to solve the greatest password problems of today—that computers are able to guess what humans can’t remember.

Aug. 11. “Instant Karma” is the name of the Facebook stealing password software that infects a user’s gadget.

Aug. 7. A website called “Have I been Pwned” allows users to check if their password has been compromised.

Aug. 3. More than one billion compromised usernames and passwords are floating around on lists on the internet.

Aug. 2. With more than 20 password policy best practices to choose from, enterprises can take steps to mitigate the risks of end users.

Aug. 2. A bipartisan group of US senators introduced a bill that requires vendors of IoT devices sold to the government to not include hard-coded passwords.


Jul. 25. We have a growing number of password problems, and some would like to believe that the solution a password manager.

Jul. 24. PayPal users receiving notices that the “account passwords have been entered incorrectly more than five times,” are directed to a phishing website.

Jul. 24. Passphrases–along the lines of ‘whattimeiscoffee’ are stronger than passwords and easier to remember. If you’d put a hashtag in front of it, the phrase could make a good password.

Jul. 21. Secret sharing one method of protecting passowrds not widely talked about. The method uses multiple security matches and routes that are nearly impervious to attack. Passwords, keys, two-factor authentication are currently all widely used.

Jul. 19. Wakefield Research finds password practices remain sloppy. Thirty-six percent report that they use the same password for 25% or more of their online accounts.

Jul. 19. Knowing what to do if custom and border agents request the password to your device can have different implications. The ACLU offers precautions for travelers.

RELATED: Free online password checker lets you immediately determine the strength or weakness of any password in seconds

Jul. 19. While many millennials are more tech savvy and open to new and more secure forms of authentication, their password practices are worse than the general population.

Jul. 17. There is a new password stealing malware that spreads rapidly thanks to rock bottom prices.

Jul. 15. As video streaming becomes more and more popular, providers engage in the password-sharing debate. Netflix, HBO and others streamers may want to heed the warnings of other internet media.

Jul. 12. When millions of your customer accounts are put a risk because of a lapse in security, it’s not good for business. The Verizon phone account hijacking is a “nightmare situation,” says Per Thorsheim, a password expert and security researcher.

Jul. 12. Keeping track of multiple passwords is a hassle and a security risk, for both the public sector and the government. Getting rid of passwords could be the relief that the DOJ needs.

Jul. 7. It’s not terribly complicated, but taking the time to learn how to use a password manager will let you take your passwords with you anywhere.

Jul. 6. Keeping your information secure is challenging in our increasingly hacked world, but everyone needs to remember that there are some basic steps to protect your digital self.

Jul. 5. Microsoft’s biometric identity token ring may replace passwords by streamlining the login to Windows 10.

Jul. 1. Many corporations have unfortunately made headlines after having been breached, but a Hong-Kong based online retailer is recognized for believing passwords are inconsequential when it comes to security.

Kacy Zurkus is a freelance writer for Cybersecurity Ventures and has contributed to several other publications. She covers a range of cybersecurity and cybercrime topics.


Q2 2017 — sponsored by Thycotic — provides chief information security officers (CISOs) and IT security teams with a quarterly diary of noteworthy security issues with passwords ranging from stolen credentials to purchasing stolen passwords on the black market.


Biometrics tries to crack the code on passwords

Swiping versus typing — either way there’s a lot of finger pointing going on.

kacyzurkusbwKacy Zurkus

Menlo Park, Calif. – Jul. 3, 2017

While many next generation technologies continue to explore different forms of biometrics for user authentication, no one has discovered the single solution that can address the complicated challenges of passwords.

A report published by Cybersecurity Ventures and Thycotic earlier this year found that the total number of user and privileged accounts that will be at risk, including a combination of human and machine passwords, will surpass 300 billion passwords by 2020.

Poor login practices continue to plague users and organizations globally. Passwords are still the biggest security problem for PCs, MACs, smartphones, and IoT devices.



Jun. 29. A lot is for sale on the Dark Web, including the emails and passwords of nearly 14 million college faculty, staff, students, and alumni from dozens of universities including University of Michigan, Penn State, Minnesota, Michigan State, Ohio State, and Illinois.

Jun. 27. Wearables have the power to make devices omnipotent, but is biometrics and tokenization a realistic solution to the problem of passwords?

Jun. 25. It’s not just enterprises and federal governments that are at risk of being hacked now that everything from thermostats to refrigerators are connected to the internet. Everything connected to the Internet can be hacked, including passwords for even the most seemingly innocuous devices in people’s home.

Jun. 23.  A group of ethical hackers gained access to a Virgin Media Super Hub 2 router after only four days of attempting to break in. Users are warned to change their wifi passwords.

Jun. 22. Public officials from politicians to police officers are the target of Russian hackers trading stolen passwords garnered from a five year old LinkedIn attack.

Jun. 19. Millennials suffering from password overload choose to reuse their passwords, opting for convenience and ease over security.

Jun. 19. The vulnerabilities in IoT devices can be frightening. Parents are warned that baby cameras could be compromised if they don’t change the default passwords.

grayfooterline grayfooterline

Jun. 15. A new Apple security requirement demands all third party applications to use app-specific passwords to gain access to data on a user’s cloud, and Apple penned these instructions for creating or revoking passwords.

Jun. 10. The latest version of the Apple operating system, iOS 11, makes changes that could relieve users from the burden of having to remember every password for their many apps.

Jun. 5. Published for educational purposes, this article instructs readers on how to hack any wifi passwords using a security tool, Wifiphisher, that launches automated phishing attacks on wifi networks.

Jun. 4. For OneLogin customers who think they might have had their passwords compromised in the latest breach, follow these steps to secure your account.

Jun. 2. According to a recent survey, in addition to not changing passwords on their accounts, 43 percent of smartphone users in the UK admit to storing passwords on their mobile phones.

Jun. 2. Wondering why we need passwords at all, a contributor to the Columbia Star, a local newspaper in South Carolina, pontificates about her growing frustrations for the widespread use of passwords.

Jun. 1. Cybersecurity awareness training programs are fairly common across all industries these days, but Booz Allen Hamilton might want to revisit the implementation of theirs after an employee left sensitive government passwords exposed.

Jun. 1. More hackers have gained unauthorized access to password management application OneLogin, reminding users that storing all passwords in one system does not make that system impervious to cyber attacks.

Jun. 1. Those who continue to reuse passwords are labeled ‘a hacker’s dream’ as they continue to put themselves and potentially their employers at risk.


May 30. Neighbors to the north are less than thrilled with having their privacy threatened by the U.S. plan to demand passwords at the border.

May 30. These instructions for users of password manager LastPass converting to 1Password makes the transferring of data a bit more streamlined.

May 26. A username and password, long kept secret among members of the press, has been revealed, bringing free access to the Wall Street Journal’s paywall to an abrupt halt.

May 26. Android devices are the target of a new malware known as Cloak and Dagger that allows hackers to steal more than just passwords.

May 25. The way you walk reveals more than you would think now that researchers have found a new form of biometrics to authenticate a user of wearable devices.

May 24. Taking a stab at cracking passwords is the easiest way for hackers to compromise accounts, which explains why weak passwords cause the majority of data breaches.

May 23. Knowing that people often reuse their passwords, attackers are using automated systems to break into a website with stolen credentials from another site.

RELATED: Free IT tools to help you save time and money while protecting your privileged account passwords

May 22. The human behavior at the root of password problems suggests that users will only change their passwords once they’ve been compromised.

May 10. Florida State University’s E-Crime Investigative Technologies Lab is hard at work developing the software to crack passwords, relying on probability grammar over context to evaluate password strength.

May 5. Requiring more complex passwords is one of the guidelines set forth in NIST’s Digital Identity Guidelines, but attackers can use tools to crack passwords regardless of their complexity.

May 5. In layered defense, enterprises can mitigate risks of cyber attacks through access controls, best password practices, the use of dedicated servers, and patching and updating their systems.

May 3. Whether it’s in the office, on the go, or at home, the average user has 27 different accounts that require passwords, with half of those being logged into on any given day. That’s why many people are hoping technology has the potential to replace burdensome passwords with a much more secure tool.

May 1. With all the hype about password security and the need for best password practices across all industries, it’s troubling—to say the least—that asks only for a four character password with no additional numerical or case requirements.


Apr. 28. When major conglomerates like Amazon are hacked, it’s most likely the result of  criminals striking gold on the Dark Web with the purchase of stolen passwords. Brian Krebs shares his story of being bamboozled and warns that if a deal seems to good to be true, it probably is.

Apr. 24. When security tools become increasingly more sophisticate at their ability to crack passwords, as Kali Linux has, users have to step up their password complexity game.

Apr. 21. Vulnerabilities in the Microsoft Edge browser make it easy for an attacker to hack into cookie files, steal user passwords, and access online accounts.

Apr. 19. Microsoft continues to find new ways to authenticate user identity, eliminating passwords for those users who approve or deny a prompt delivered to their mobile devices.

Apr. 18. The debate over whether to require the passwords to social media accounts of foreigners traveling to the US continues as many call on the Department of Homeland Security to oppose the policy.

Apr. 15. Unfortunately, planning for the death of a loved one entails more than confronting emotions and coping with loss. Now, families need to plan ahead and have a secure person who is able to access the many passwords to their loved one’s online accounts in order to deal with finances and other personal business.

RELATED: Free online password checker lets you immediately determine the strength or weakness of any password in seconds

Apr. 11. Two 20-somethings in the next generation of security practitioners are visionaries who see a more secure way to move passwords forward with a multi-layer, ultra-secure, multi-factor authentication model.

Apr 10. Tilting the phone as you type in your mobile PIN doesn’t seem like a security risk, but hackers can potentially access passwords via a new theoretical hack.

Apr. 7. In today’s connected world, it’s not uncommon for local news channels to offer security tips to keep users safe on their cell phones and mobile devices. Passwords remain a first layer of defense.

Apr. 7. A pithy list of the top ten passwords for expats living in Bulgaria shows respect for the country in which they now reside.

Apr. 6. Hackers know where the money is, and who is willing to pay, so they target the vulnerabilities in the education sector with its ever expanding collection of big data that includes emails, passwords, and intellectual property.

Apr. 5. Firmware shipped from vendors of critical infrastructure still uses hard coded passwords despite the heightened warnings for stronger SCADA defense.

Apr. 3. In addition to backing up everything and storing critical files on the cloud, users of IoT devices are encouraged to adhere to strict password policies which includes the use of multi factor authentication.

Apr. 3. Those who were encouraged to use a password manager in order to create and store more complicated passwords have been put at risk by a bug discovered in LastPass.

Apr. 3. It’s not only the end users who are compromising security with their weak passwords at home and at work. Even security practitioners fail to change their passwords on social media accounts.

Kacy Zurkus is a freelance writer for Cybersecurity Ventures and has contributed to several other publications. She covers a range of cybersecurity and cybercrime topics.


Q1 2017 — sponsored by Thycotic — provides chief information security officers (CISOs) and IT security teams with a quarterly diary of noteworthy security issues with passwords ranging from stolen credentials to purchasing stolen passwords on the black market.


Password hacks and stolen identities at the epicenter of security breaches

Solutions to password challenges might be the marriage of education and innovation.

kacyzurkusbwKacy Zurkus

Menlo Park, Calif. – Mar. 31, 2017

Passwords continue to be the bane of the security industry, with some even calling it the Achilles heel. As new developments in biometrics aim to offer solutions to the password problem, many local media outlets try to help consumers understand how to stay safe online.

Password management applications, once trusted ways of storing and creating passwords prove that no software application is impervious to attacks.



Mar. 30. A new report details the impact that cybercrime has had on higher education institutions, noting that hacktivists and scammers are sharing, selling, or simply giving away stolen .edu passwords and other account credentials.

Mar. 22. Amidst all the hype over claims that Apple’s iCloud had been hacked, experts suggest remaining calm and changing passwords.

Mar. 21. An exploitable content script in the LastPass Chrome extension allowed malicious attackers to access usernames and passwords as well as execute commands on a user’s computer.

Mar. 17. In the wake of the indictment of Russian hackers charged with hacking hundreds of millions of Yahoo accounts, many local and national news outlets offer tips on developing stronger passwords.

Mar. 15. New biometrics technology that reads a user’s lip movements, which are very difficult to mimic, might prove to add more security to the password problem.

Mar. 13. Study attempts to understand changing attack surfaces and the impact social media will have on the increased number of compromised passwords.

Mar. 10. Many express concerns in response to the call to collect passwords at US borders, a decree seen as antithetical to the first rule of online security: never share passwords.

RELATED: 2016 BLACK HAT HACKER SURVEY: Hackers support data privacy but are still willing to crack your passwords for a price.

Mar. 10. Mulling over the conundrum of how to secure passwords raises the question of whether human beings should even know what their passwords are.

Mar. 9. During National Consumer Protection Week, local news sources provide helpful advice to help keep consumers safe online by creating secure passwords.

Mar. 8. Video doorbell company charges a steep fee for password reset on their DoorBird IoT intercom and customers are not happy.

Mar. 7. If mobile devices have yet to cause security problems to the enterprise, this guide will help enterprises understand how to protect against mobile threats by encouraging end users to avoid unsecure WiFi, to use strong passwords, and to add 2FA.

Mar. 6. Dark web vendor, SunTsu583, posted for sale one million Gmail and Yahoo account credentials, sourced from a variety of hacks going back to 2008.

Mar. 4. Tens of thousands of parents in the UK who recorded messages for their children on  smart toys from CloudPets had their personal details hacked without the use of a password.

Mar. 4. Personal information from thousands of sites was compromised after a known bug in the Cloudflare security system leaked information for months. Given the widespread use of the cloud service and the lack of clarity in exactly which websites were affected, now is a good time to change those passwords, again.

Mar. 2. A least one security issue found in the top nine password management applications available in the Google Play store.

Mar. 1. Music fans were able to rest at ease after news of a hack took center stage. Despite their website being compromised by hackers, Coachella’s promotion company, Goldenvoice, reported that no passwords or payment information was stolen.

Mar. 1. Devices that recognize the uniqueness of an individual hope to be the next gen technology that may finally solve the password problem.


Feb. 27. Disconcerting results of a Keeper Security Inc. survey reveal the frequency with which users both reuse and change their passwords.

Feb. 23. Passwords deemed the heart of the security problem that has resulted in the escalation of breaches. Enterprises can take a combined approach to secure their assets, which should include limiting user access privileges and phasing out passwords.

Feb. 22. A nonprofit technology coalition, the Center for Democracy & Technology, argues that collecting passwords at borders puts travelers around the world at risk.

Feb. 16. Following best practices in security awareness is a safe bet that will keep end users from gambling on their password security. These tips could help the enterprise stay ahead of potential threats.

Feb. 15. Even though the Toys ‘R’ Us chain wasn’t hacked, the credentials of those in their member rewards program were compromised, likely the result of stolen passwords.

Feb. 12. An unnamed university falls victim to its own smart devices, including a vending machine, when a botnet spread by brute forcing default or weak passwords.

RELATED: FREE Guide: Top 5 Privileged Account Security Reports CISOs Live For

Feb. 10. Offering self defense tutorials for the digital world, this ‘how to’ guide walks readers through the process of setting up a password manager.

Feb. 8. A look at whether collecting passwords for social media sites as a requirement to enter the US makes any sense in the security world.

Feb. 6. A hacker at Central Michigan University stole usernames and passwords, leading to their accessing W-2 forms.

Feb. 3. Even though there is a lot of buzz around the exciting innovations in biometric technologies, some question whether fingerprints and voice recognition will be any safer when it comes to authentication.

Feb. 2. A flaw was discovered in the StruxtureWare Data Center expert industrial control kit which could result in a hacker gaining remote access to unencrypted passwords.

Feb. 2. Gamers learn the hard way that they need to take password security seriously after XBox piracy forum hack affects 2.5 million users.

Feb. 1. And the winner is…the University of Wisconsin awards the worst passwords of 2016 to a list of 25 horribly weak passwords. The number one spot went to ‘123456’.

Feb. 1. A new ‘smart router’ comes to market claiming to offer security without the use of a password to login.


Jan. 31. The state of Kentucky takes a big step forward in password protection by joining the National Cyber Security Alliance (NCSA) and urging citizens to create strong passwords.

Jan. 28. Indifference proves to yet again be the root of all evil, especially online. For those who think they can flout the warnings of password vulnerabilities, know that not caring is not an option.

Jan. 27. Well known source for website breaches, LeakedSource, goes dark after claiming to having sold access to billions of stolen passwords.

Jan. 26. Farewell to Gmail. Sean Spicer’s accidental tweet that looked suspiciously like a password revealed helpful the need to update some important security information.

Jan. 26. New biometrics technology using voice recognition instead of passwords claims to have seen a decline in fraud.

Jan. 25. The financial industry sees a potential resolution to the problem of offering interoperability capabilities to customers without compromising security by sharing passwords.

Jan. 20. Students suspected of stealing teacher passwords and changing grades at the University of Iowa.

RELATED: New Report Finds 300 Billion Passwords Will Be at Risk By 2020

Jan. 20. The passwords that employees use at work are only as safe as those they would use in their personal lives, which doesn’t bode well for enterprise security.

Jan. 19. The transition of power at the White House was not impacted by the fact that many members of the incoming cabinet, including cybersecurity advisor Rudy Guiliani, have had their passwords stolen in the past.

Jan. 17. A vulnerability in both the Clash of Clans and Clash Royale games could cause everyone in their respective forums quite a headache as third party hackers are reportedly able to access user emails and encrypted passwords.

Jan. 16. Using different languages and converting sentences to passphrases are just a couple of ways that users can create strong passwords.

Jan. 16. OWASP points out the antiquated security practices used by McDonald’s, noting that cross-site scripting is not only bad but also leaves user’s passwords remotely available to an attack.

Jan. 12. With only a third of internet users creating different passwords for multiple accounts, many are leaving the door to their digital identities wide open for attackers.

Jan. 6. For those who are tentative about trusting their browsers to store their passwords, know that some browsers have strengthened their security features, but few are without risks.

Jan. 5. Banks that offer the convenience of cardless ATM withdrawals aren’t necessarily accounting for the possibility that a criminal could use a stolen username and password to conduct a fraudulent transaction.

Jan. 5. Hoping that consumers will start the new year off by banging out some new passwords, this local Ohio station challenges people to test the strength of their password security.

Jan. 3. National Strategy for Trusted Identities in Cyberspace (NSTIC) is challenged with finding the best solution to the password problem, leaving them to determine whether fingerprints and iris scanning are more secure alternatives.

Kacy Zurkus is a freelance writer for Cybersecurity Ventures and has contributed to several other publications. She covers a range of cybersecurity and cybercrime topics.


Q4 2016 — sponsored by Thycotic — provides chief information security officers (CISOs) and IT security teams with a quarterly diary of noteworthy security issues with passwords ranging from stolen credentials to purchasing stolen passwords on the black market.


Weak passwords result in major breaches

LinkedIn and Tor made the headlines, but no one suffered damage the likes of Yahoo in 2016, except, maybe, the Internet of Things.

kacyzurkusbwKacy Zurkus

Menlo Park, Calif. – Jan. 3, 2017

Of the millions of users connected to the internet, few of them are not suffering from security fatigue. The constant reminders to change passwords have many ignoring password security all together.

Yahoo continued to make the headlines as more details of their massive breach came to light. The fear of password reuse across multiple sites and platforms had many companies urging their customers to err on the side of caution and change their passwords.

Given that passwords are one of the weakest links to security, researchers are exploring the viability of biometrics and other technologies to help protect user accounts. A new report from Cybersecurity Ventures and Thycotic informs that passwords are here to stay – and the world will need to cyber protect 300 billion passwords by 2020.



Dec. 29. Given that security experts say some of the best hackers are able to break two thirds of all passwords, it’s recommended people change their passwords often and use complex phrases like “Rov3rWENT2Mark3t.”

Dec. 29. Changing passwords is one of the easiest baseline steps internet users can take to work toward stronger cybersecurity in 2017.

Dec. 23. Multi-factor authentication, biometrics, training, and other good security alternatives beyond passwords can work to protect enterprise data, given that most users don’t often change and frequently reuse their passwords across personal and business accounts.

Dec. 22. Yahoo’s massive breach might have been the harbinger of passwords passing. Experian predicts the death of the password in the aftermath of Yahoo’s massive breach, which will likely continue to have implications for years to come.

Dec. 22. Groupon cites stolen login credentials as the cause for fraudulent logins and purchases, emphasizing the fact that password reuse makes accounts vulnerable even if the site itself has not been hacked.

Dec. 19. MD5 has long been known to be an unreliable security measure, yet the security team at Yahoo struggled to get approval for the tools they needed, which likely contributed to the largest data breach on record.

Dec. 19. The online learning site, (owned by LinkedIn) suffered a breach in which hackers gained access to 9.5 million accounts, despite the company’s use of the “PBKDFv2” algorithm to hash the passwords.

Dec. 15. Time Magazine reported on everything users need to know about the Yahoo breach, citing that the accounts of nearly 150,000 government employees were hacked, potentially posing a risk to national security.

RELATED: 2016 BLACK HAT HACKER SURVEY: Hackers support data privacy but are still willing to crack your passwords for a price.

Dec. 15. An unauthorized third party, believed to be state actors forged cookies and impersonated users at Yahoo. As more information comes to light about the enormous attack, the scarred company struggles to change its security procedures.

Dec. 13. Password management system provider, LastPass, offers cross-platform syncing as a free option on its tool, encouraging password management use in order to make security an accessible option for internet users.

Dec. 13. Survey reveals that adults use (and reuse) simple to remember passwords because the fear of forgetting a password outweighs the fear of being hacked.

Dec. 12. Fast food giant, KFC warns members of the Colonel’s Club that their passwords should be changed after an attack targeted 30 of its 1.2 million members.

Dec. 9. After researching 50,000 compromised emails and passwords, data reveals that 42 percent of those who used their username as their password had their accounts hacked and that the the most commonly used passwords include the words ‘love’, ‘star’, ‘girl’, and ‘angel’.

Dec. 8. Biometrics may not be the most secure solution to the security problem of passwords. Hackers can still steal a fingerprint or replicate a digital version.

Dec. 6. The Commission on Enhancing National Cybersecurity warned President Obama that passwords make committing cybercrime easy for black hats. TLS technology offered as a possible solution.

Dec. 5. Turns out the attack on TalkTalk’s broadband routers was a bit more extensive than originally suspected, and customers are once again urged to change their passwords.


Nov. 30. Hackers gambled on the U.K.’s National Lottery security protocols and won big, scoring access to 226,500 of its 9.5 million registered players.

Nov. 23. Deliveroo denied that their cite had been compromised, blaming credential reuse from other hacked sites like LinkedIn for fraudsters gaining access to customer accounts. The finger pointing emphasizes the urgent need to change both passwords and user behavior.

Nov. 22. Despite concerns over the pitfalls associated with biometrics technologies, Visa partners with BioConnect, showing that an authentication free from pitfalls is viable when using the right platform.  

Nov. 22. Default passwords one of many security concerns discussed at a meeting with the Subcommittee on Commerce, Manufacturing, and Trade.

Nov. 20. Changing default passwords on IoT devices through the mobile app or web page provided with the device will help to secure wireless devices at home and in the office.

Nov. 17. Massive DDoS attacks with Mirai, which used default passwords, prompted two government agencies to share guidance on how to approach security with IoT.

Nov. 16. Security experts question the ethics of companies who pay criminals on the black market for stolen passwords, arguing instead that with a little more effort, the information can be found through cross-referencing data dumps.

RELATED: FREE Guide: Top 5 Privileged Account Security Reports CISOs Live For

Nov. 14. WindTalker system analyses radio signals in WiFi networks, through which researchers say it is possible to detect passwords and other private information of the user.

Nov. 11. Facebook’s purchase of stolen passwords on the black market claimed to the company keep its 1.79 billion user accounts safe by scanning for stolen passwords across multiple platforms.

Nov. 10. Using Tor and a password manager are just two of the ways security researchers recommend protecting your private information from government surveillance.

Nov. 8. By exploiting weaknesses in how passwords are reset, a 29 year old hacked into more than 1,000 email accounts at two US universities.

Nov. 8. In the aftermath of Mirai, experts look back and question what could have been done differently, identifying hard-coded passwords in IoT devices as one of the eleven key takeaways.

Nov. 7. As they look ahead at the long lasting effects that could result from Mirai’s botnet, the FDA issues guidelines for manufacturers of internet connected devices.

Nov. 4. Serpent ransomware, a new version of PayDOS, takes advantage of the hard-coded passwords, but distributes batch files that rename rather than encrypt.   

Nov. 2. LastPass boosts their service offerings, allowing users to have free multi-device access.


Oct. 29. Falling victim to a phishing scam approved as legitimate from Clinton campaign IT official, John Podesta clicked on a fraudulent link giving hackers access to his account.

Oct. 27. Presenting a brain challenge for their customers, a Thai restaurant in San Antonio, Texas posts a complicated math equation for those who want to use their free WiFi. The answer to the problem is the password.

Oct. 21. Wanted for stealing 117 million passwords in the LinkedIn hack, Yevgeniy Aleksandrovich Nikulin, a 29-year-old Russian was arrested in Prague and indicted by a grand jury in connection with the hacking of three different websites.

Oct. 16. Lack of security in IoT devices prompts European Commission to draft new requirements that will enhance the security of those devices, including those with default passwords and those with passwords that can easily be bypassed.

Oct. 14. Changing passwords seen as an overwhelming task for computer users who suffer from ‘security fatigue’. Unfortunately, the failure to adhere to best password practices leaves users more vulnerable.

Oct. 14. An overwhelming majority of the 200 IT decision makers surveyed by SecureAuth Corporation believe that passwords will be non-existent in five years.

RELATED: New Report Finds 300 Billion Passwords Will Be at Risk By 2020

Oct. 14. Select Netflix customers received different versions of an alert advising them that their email and password might have been leaked as the result of a breach at another organization.

Oct. 11. A fun test of user awareness around password security, the Financial Times offers a quiz for readers to test their knowledge. Turns out that “pAsswOrd” is 4,000 times stronger than “p@ssw0rd.”

Oct. 8. To mitigate security risks, Amazon issued an email alert telling users that their password had been changed after a list of compromised credentials was published online.

Oct. 7. Researchers at the University of Washington hope that sending passwords from a device through the human body via low-frequency signals might be the security technique of the future.  

Oct. 5. Password manager applications, including Dashlane, Keeper, 1Password, and LastPass, are good ways to increase password security on personal devices.

Oct. 5. Pay-by-selfie rolls out for some Mastercard holders across Europe who can now use  facial recognition biometrics instead of a password to complete payment transactions.

Oct. 3. The Mirai botnet that knocked Brian Krebs offline and the largest DDoS attack on record was largely successful thanks to these 61 passwords.

Oct. 2. Wombat Security CTO offers tips for password hygiene and recommends using a password manager application and two factor authentication to keep passwords in order.

Kacy Zurkus is a freelance writer for Cybersecurity Ventures and has contributed to several other publications. She covers a range of cybersecurity and cybercrime topics.


© 2016-2017 Cybersecurity Ventures. All rights reserved. Federal copyright law prohibits unauthorized reproduction of this Report by any means and imposes fines up to $150,000 for violations. Reproduction in whole or in part in any form or medium without expressed written permission of Cybersecurity Ventures is prohibited.