Facebook Password Security Fail

Facebook is facing scrutiny once again today by disclosing that it accidentally stores “hundreds of millions” user passwords in plaintext. To make matters worse, 20,000 Facebook employees had access to view these passwords. Instagram users are also impacted by this massive oversight. There are so many things wrong here. In the day and age, obviously no company or organization should …

What’s behind PCI’s New MFA Requirements?

Requirement 8.3 of the PCI DSS 3.2 goes into effect today (Feb 1, 2018), making MFA (multi-factor authentication) a requirement for every organization involved in payment card processing. Many have implemented MFA ahead of the requirement, however a look at the PCI’s multi-factor implementation guidance highlights some considerations, particularly around passwords that may otherwise be overlooked. 1. Multi-factor means multiple …

The Outsized Risk From Small Data Breaches

Most attention is given to data breaches counted in the tens or hundreds of millions, but there is also a continuous stream of small data breaches that make no headlines but present outsized risks to individuals and organizations. In a recent analysis by Enzoic of breach data collected from the Internet and Dark Web, a full 90% of credential exposures …

password reuse is bad

The Magician’s Handkerchief of Password Reuse

Yesterday I received an email in my inbox from a prominent gaming website, indicating that my account had been disabled due to “suspicious activity” and that I would need to reset my password. They then carefully explained that this was not due to a breach of their site, but instead likely due to my account credentials having been exposed either …

Massive Equifax Data Breach Puts Consumers at Risk for Identity Theft and Compromised Accounts

With rapid rate of evolution within technology, why are we still using passwords? The answer lies in the simple, positive attributes of passwords that are not found in other authentication methods: affordable, easy to replace, universally compatibility, privacy safe and no false positive. This closer look highlights the gaps in other methods that will make it hard to get past the password.

Can Passwords Really Be Replaced?

With rapid rate of evolution within technology, why are we still using passwords? The answer lies in the simple, positive attributes of passwords that are not found in other authentication methods: affordable, easy to replace, universally compatibility, privacy safe and no false positive. This closer look highlights the gaps in other methods that will make it hard to get past the password.

NIST-800-63

NIST Special Publication 800-63 is Final

The big changes to NIST password recommendations we’ve been talking about are now official: NIST 800-63 is final. It’s important to know that this overhaul is about more than just passwords. It’s a full reworking of digital identity guidelines with a suite of new documents and a flexible approach to using them.

Evolving Password Based Security to Fight Compromised Credentials Attacks

The continued barrage of reports about data breaches and account hijacking, make it painfully clear that the way organizations are managing password-based security is missing something. When we look at how cybercriminal tactics have evolved, and how compromised credential attacks have impacted these methods, one answer to the problem of the password becomes clear.

Looking Closer at NIST Guidelines for Checking Compromised Credentials

NIST suggests passwords should be screened against commonly-used, expected, or compromised passwords. This is intended to ensure passwords are not found in common cracking dictionaries that would make them easy to guess. These checks can occur at account creation and password reset. But then what? How do you know if they are still safe after time?