Google stored some passwords in plain text for 14 years

This is an interesting admission by the team at Google.  Though they have not confirmed the number of affected enterprise customers, I know it least one local organization that was contacted by Google concerning this unintentional data leak.  Fortunately, that organization had ceased using the service some time ago.

It does appear that Google has remediated the problem.  That said, any potentially affected organization should address password reuse and other related opportunities to mitigate the risk.

https://nakedsecurity.sophos.com/2019/05/23/google-stored-some-passwords-in-plain-text-for-14-years/

8-Character Windows NTLM Passwords Can Be Cracked In Under 2.5 Hours

Though many like to pretend that the debate is still alive and relevant, I tend to agree with the authors of this post from KnowBe4 – the 8 character password is dead.  It has honestly been dead for some time.  We need to move forward and consider stronger, more effective and memorable pass-phrases combined with multi-factor authentication options whenever available.

The NIST standard of “complex” 8 character passwords is mentioned in this post, but it is also worth mentioning that even NIST has recognized it is time to move beyond that standard.  New, revised standards are coming that involve less password rotation and more lengthened pass-phrases.

These steps are honestly not hard and they will keep your data safer than the good ol’ days of “Petsname123”.

https://blog.knowbe4.com/8-character-windows-ntlm-passwords-can-be-cracked-in-under-2.5-hours

Password Reuse Abounds, New Survey Shows

So many words to describe the statistics shared in this article – sad, depressing, pathetic, lazy…did I mention sad and depressing.  There really is no reason for this.  Strong, safe, effective password managers exist.  They are free or cost effective.  They are easy to use.  They truly save time and money.  We really have no good excuse to be in this situation.

https://www.darkreading.com/informationweek-home/password-reuse-abounds-new-survey-shows/d/d-id/1331689

Apple Update Addresses Password Security for Encrypted APFS Volumes

If you are a Mac user and have upgraded to MacOS High Sierra, please take the time to apply the supplemental update released by Apple designed to address this “password hint” issue.

https://threatpost.com/emergency-apple-patch-fixes-high-sierra-password-hint-leak/128314/

https://www.tripwire.com/state-of-security/latest-security-news/apple-releases-update-better-protect-passwords-encrypted-apfs-volumes/

No more pointless password requirements

This is exciting news and a very smart, practical move by the team at NIST.  Length of passwords trumps complexity in most situations when an end user is left to his or her own devices.  I am glad to see these changes and encourage all administrators and IT security professionals to use these changes as an opportunity to better educate end users in the proper set up and usage of passwords.

https://www.welivesecurity.com/2017/05/03/no-pointless-password-requirements/