How to Secure Your Users’ Passwords

A Go library to easily add TOTPs to an application, increasing users' security against mass-password breaches and malware. https://github.com/pquerna/otp 3 comments 27/10/2021 golang

ELI5: Is Windows 10's user password secure and encrypted? https://www.reddit.com/r/techsupport/comments/69ursc/eli5_is_windows_10s_user_password_secure_and/ 6 comments 8/5/2017 techsupport

eBay hit with massive security breach, asks users to change passwords http://www.theverge.com/2014/5/21/5737914/ebay-will-ask-all-customers-to-change-passwords-after-massive-breach?utm_content=buffer07022&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer 11 comments 21/5/2014 technology

11 year old security bug in util-linux (Leak user passwords on Ubuntu) https://people.rit.edu/sjf5462/6831711781/wall_2_27_2024.txt 3 comments 27/3/2024 netsec

How to Secure Your Users’ Passwords? Don’t Send Them https://blog.blockmagnates.com/how-to-secure-your-users-passwords-don-t-send-them-ea0756a425a6 4 comments 28/4/2022 privacy

LastPass stores passwords so securely, not even its users can access them https://www.theregister.co.uk/2020/01/20/lastpass_outage/ 11 comments 20/1/2020 nottheonion

Sending passwords to end users securely https://www.reddit.com/r/sysadmin/comments/c1w9ky/sending_passwords_to_end_users_securely/ 82 comments 18/6/2019 sysadmin

Critical Security Advisory for BitPay and Copay Wallet Spending Password Users https://blog.bitpay.com/wallet-spending-password-vulnerability/ 6 comments 30/1/2018 btc

Millions of passwords stolen from Google and Yahoo users in major security breach http://www.dailymail.co.uk/sciencetech/article-3573203/big-data-breaches-major-email-services-expert.html 127 comments 5/5/2016 worldnews

Secure PHP User and Password Management. As a beginner I found this very informative. http://www.openwall.com/articles/php-users-passwords 26 comments 21/3/2013 webdev

Last.fm Password Security Update: "We are currently investigating the leak of some Last.fm user passwords." http://www.last.fm/passwordsecurity 92 comments 7/6/2012 netsec

League of Legends is hacked, with crucial user info accessed | security breach involving usernames, e-mail addresses, salted passwords, and 120,000 salted credit card numbers http://news.cnet.com/8301-1009_3-57599450-83/league-of-legends-is-hacked-with-crucial-user-info-accessed/ 16 comments 21/8/2013 technology

Multi One Password - The Most Secure Password Manager. (It does not store passwords neither locally in the users devices nor in the cloud.) https://apps.microsoft.com/store/detail/9PGSRMDJ3RP2 3 comments 28/5/2023 entrepreneurridealong

Reddit admins finally chime in on user password security exploit saying that they have "been investigating" it. https://np.reddit.com/r/bugs/comments/7nu2op/is_reddit_administration_ignoring_a_security/ds4trrr/?context=3 34 comments 3/1/2018 btc

Evernote resets all passwords after user information stolen in security breach http://www.theverge.com/2013/3/2/4056704/evernote-password-reset 3 comments 2/3/2013 technology

Formspring Compromised - All user passwords reset as a security precaution. http://blog.formspring.me/2012/07/urgent-change-your-formspring-password/ 11 comments 11/7/2012 netsec

Linux security experts: How can a regular user escalate to be able to change the root password? http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems.shtml#linux2 94 comments 15/3/2011 linux

LinkedIn to pay 1.25 million in settlement claims for contravening users’ privacy agreement and negligence in securing their passwords http://securitygladiators.com/2015/02/24/linkedin-to-pay-to-settle-claims-over-weak-password-security/ 5 comments 24/2/2015 technology

Charter Spectrum tweets terrible security advice by asking users to change their WiFi password to GO_ATLANTA or GO_NEWENGLAND. https://techcrunch.com/2017/01/23/charter-spectrum-tweets-terrible-wifi-security-advice/ 4 comments 24/1/2017 technology

"Many general users and some IT administrators incorrectly assume that using various uppercase letters, lowercase letters, numbers and special characters in a password will make it more secure. " https://trustwave.com/resources/trustwave-blog/yes,-your-password-is-easy-to-crack/ 3 comments 19/8/2014 technology

Facebook's poor login security let Tunisian regime snarf up user passwords, delete accounts http://www.theatlantic.com/technology/archive/2011/01/the-inside-story-of-how-facebook-responded-to-tunisian-hacks/70044/ 7 comments 24/1/2011 politics

Facebook's poor login security let Tunisian regime snarf up users' passwords http://www.theatlantic.com/technology/archive/2011/01/the-inside-story-of-how-facebook-responded-to-tunisian-hacks/70044/ 7 comments 24/1/2011 netsec

When you change something like a wifi password, which many people use, do you just put the new password in an email and email all users? Is there a more secure way? https://www.reddit.com/r/sysadmin/comments/5jlle7/when_you_change_something_like_a_wifi_password/ 12 comments 21/12/2016 sysadmin

Computer security experts have developed a system capable of guessing computer and smartphone users’ passwords in seconds by analysing the traces of heat their fingertips leave on keyboards and screens https://www.gla.ac.uk/news/headline_885914_en.html 79 comments 11/10/2022 technews

"Security" Auditor wants "A list of current usernames and plain-text passwords for all user accounts on all servers" https://serverfault.com/questions/293217/our-security-auditor-is-an-idiot-how-do-i-give-him-the-information-he-wants 153 comments 6/9/2016 sysadmin

Bye-bye passwords on Android: Now, use fingerprint to log in to apps, websites. As the debate over the countless privacy issues rages on, security remains a key concern as users information is on the risk https://www.financialexpress.com/industry/technology/bye-bye-passwords-now-use-fingerprint-to-log-in-to-apps-websites-on-android/1498707/lite/ 3 comments 26/2/2019 technology

AOL Hacked (Official Blog Post) - Unauthorized access to information regarding user accounts: users' email addresses, postal addresses, address book contact information, encrypted passwords and encrypted answers to security questions as well as certain employee information. http://blog.aol.com/2014/04/28/aol-security-update/ 24 comments 29/4/2014 netsec

The end of logins and passwords, just for starters. Self-sovereign identity is a decentralized model that allows users to control their data, enabling digital experiences that are secure and interoperable. https://thereboot.com/the-end-of-logins-and-passwords-just-for-starters/ 5 comments 1/9/2021 technology

Chrome's Password Security Strategy Is Insane | Visit chrome://settings/passwords – Chrome displays your saved passwords without prompting for a master password and casual users probably don't know about this http://mashable.com/2013/08/07/chrome-password-security/ 49 comments 7/8/2013 chrome

Microsoft removed the password expiration policies from their Windows 10 security baseline. Their recommendation to NOT force user password changes on a schedule is now their official published security guidance for Windows customers. https://techcrunch.com/2019/06/02/password-expiration-is-dead-long-live-your-passwords/ 11 comments 2/6/2019 technology

PSA: Stop using sensitive data as passwords to secure more sensitive data. Try to educate your users and use real examples of why this is bad. https://www.reddit.com/r/sysadmin/comments/itw3av/psa_stop_using_sensitive_data_as_passwords_to/ 299 comments 16/9/2020 sysadmin

A serious flaw in the security of Google's Chrome browser lets anyone with access to a user's computer see all the passwords stored for email, social media and other sites, directly from the settings panel. No password is needed to view them http://www.theguardian.com/technology/2013/aug/07/google-chrome-password-security-flaw 183 comments 7/8/2013 technology

A security researcher has released a tool can steal LastPass password manager details by simulating the login dialogue so closely that even careful users might simply give their username, password and their two-factor key http://www.theguardian.com/technology/2016/jan/18/phishing-attack-steal-lastpass-password-manager-details 9 comments 19/1/2016 technology

Ubuntu Forums Security Breach: "Unfortunately the attackers have gotten every user's local username, password, and email address...The passwords are not stored in plain text. However, if you were using the same password...on another service...change the password on the other service ASAP." http://ubuntuforums.org/announce.html?t=1650386 19 comments 20/7/2013 netsec

Virgin Media sends users their former passwords via snail mail (post), so therefore they are not encrypting passwords but instead storing them in plain text. Their defense: Postal mail is secure since it's illegal to open mail that is addressed to someone else. https://twitter.com/virginmedia/status/1162756227132198914 136 comments 20/8/2019 privacy

Two months ago the NSA forced a secure email provider out of business after they learned Edward Snowden used it. Today it reappeared and is now asking users for their passwords. /u/N1RKGpuYkfgG4EQjPJQF discovered that it's almost certainly a trap. [x-post /r/BestOf] http://www.reddit.com/r/bestof/comments/y3ufx/rbestof_results_of_the_no_defaults_experiment/c5sdbn1 2 comments 16/10/2013 privacy

Google facial password patent aims to boost Android security. Users could soon be asked to pull a series of faces to unlock their Android phones or tablets. Google has filed a patent suggesting users stick out their tongue or wrinkle their nose in place of a password. http://www.bbc.co.uk/news/technology-22790221 67 comments 6/6/2013 technology

Hacker News

Reddit