Password management and policy
Discover how to succeed in password management. Learn how to implement a password policy, software and tools, how to choose the right password length and when to change your password. Also, get advice on password cracking software, tools and programs.
Top Stories
-
News
26 Oct 2021
Researcher cracks 70% of neighborhood Wi-Fi passwords
A CyberArk researcher showed that $50 worth of hardware and some attack scripts are all you need to break into home and small business Wi-Fi networks. Continue Reading
-
News
29 Sep 2021
Telegram bots allowing hackers to steal OTP codes
A simplified new attack tool based on Telegram scripts is allowing criminals to steal one-time password credentials and take over user accounts and drain bank funds. Continue Reading
-
Definition
25 Feb 2022
passphrase
A passphrase is a sentencelike string of words used for authentication that is longer than a traditional password, easy to remember and difficult to crack. Continue Reading
-
Definition
27 Jan 2022
one-time pad
In cryptography, a one-time pad is a system in which a randomly generated private key is used only once to encrypt a message that is then decrypted by the receiver using a matching one-time pad and key. Continue Reading
-
Definition
13 Dec 2021
password salting
Password salting is a technique to protect passwords stored in databases by adding a string of 32 or more characters and then hashing them. Continue Reading
-
News
26 Oct 2021
Researcher cracks 70% of neighborhood Wi-Fi passwords
A CyberArk researcher showed that $50 worth of hardware and some attack scripts are all you need to break into home and small business Wi-Fi networks. Continue Reading
-
News
29 Sep 2021
Telegram bots allowing hackers to steal OTP codes
A simplified new attack tool based on Telegram scripts is allowing criminals to steal one-time password credentials and take over user accounts and drain bank funds. Continue Reading
-
Definition
16 Sep 2021
shadow password file
A shadow password file, also known as /etc/shadow, is a system file in Linux that stores encrypted user passwords and is accessible only to the root user, preventing unauthorized users or malicious actors from breaking into the system. Continue Reading
-
News
16 Aug 2021
FBI watchlist exposed by misconfigured Elasticsearch cluster
A terrorist watchlist was found in an exposed database, and security researcher Bob Diachenko says there is no way of knowing just how long it was open to the public. Continue Reading
-
Tutorial
03 Aug 2021
Working with PowerShell Secret Management and Secret Vault
The two new PowerShell modules put API keys, credentials and other secrets under lock and key to protect sensitive information in automation and remoting scenarios. Continue Reading
-
Feature
30 Jul 2021
Keycloak tutorial: How to secure different application types
IT pros and developers can secure applications with the open source IAM tool Keycloak. When you don't need to worry about passwords, it reduces the potential attack surface. Continue Reading
-
Feature
30 Jul 2021
Secure applications with Keycloak authentication tool
As we look toward the future of authentication, open source tools, such as Keycloak, provide companies a way to secure applications to its specific needs. Continue Reading
-
Definition
27 Jul 2021
password
A password is a string of characters used to verify the identity of a user during the authentication process. Continue Reading
-
News
02 Jul 2021
Russia using Kubernetes cluster for brute-force attacks
The NSA warned that Russian state-sponsored hackers launched a new container-based campaign aimed at breaching networks and stealing essential data from multiple industries. Continue Reading
-
Quiz
01 Jul 2021
Test yourself with this e-learning authentication quizlet
Integrity and authentication are two evergreen security topics. Try this quick quiz from Technic Publication's PebbleU, and see where to focus your continuing education. Continue Reading
-
Tip
22 Jun 2021
Get a grasp on using group managed service accounts
When you create a group managed service account, it relieves some administrative duties and bolsters the security related to passwords for services in a Windows environment. Continue Reading
-
Definition
23 Apr 2021
computer cracker
A computer cracker is an outdated term used to describe someone who broke into computer systems, bypassed passwords or licenses in computer programs, or in other ways intentionally breached computer security. Continue Reading
-
Definition
31 Mar 2021
challenge-response authentication
In computer security, challenge-response authentication is a set of protocols used to protect digital assets and services from unauthorized users, programs or activities. Continue Reading
-
Podcast
12 Feb 2021
Risk & Repeat: Oldsmar water plant breach raises concerns
This week's Risk & Repeat podcast looks at how an unknown threat actor used TeamViewer to manipulate chemical levels in a water treatment facility in Oldsmar, Fla. Continue Reading
-
News
11 Feb 2021
Oldsmar water plant computers shared TeamViewer password
In addition to the advisory published by Massachusetts officials, the FBI issued a private industry notification Tuesday that referenced poor password security. Continue Reading
-
Tip
17 Nov 2020
Explore the benefits of Azure AD vs. on-prem AD
A move to Office 365 doesn't require cutting the cord from on-premises Active Directory, but it is an option. Here's what you need to know when comparing Azure AD vs. on-prem AD. Continue Reading
-
News
28 Oct 2020
Ping Identity launches passwordless authentication system
Ping's new suite of authentication features looks to secure accounts and login processes by eliminating the need for usernames and passwords, which are often reused and an easy target. Continue Reading
-
Quiz
05 Oct 2020
Quiz: Network security authentication methods
There are many methods available to authenticate users requesting access to an organization's systems. Test your knowledge with this quiz on authentication in network security. Continue Reading
-
News
15 Sep 2020
Gartner: Privileged access management a must in 2020
Gartner's 2020 Security & Risk Management Summit focused on the importance of privileged access management to cybersecurity as threat actors increasingly target admin credentials. Continue Reading
-
Answer
10 Sep 2020
Manage unsuccessful login attempts with account lockout policy
Learn how to create account lockout policies that detail how many unsuccessful login attempts are allowed before a password lockout in order to prevent credential-based attacks. Continue Reading
-
Tip
31 Jul 2020
6 persistent enterprise authentication security issues
Some authentication factors are considered more secure than others but still come with potential drawbacks. Learn about the most common enterprise authentication security issues. Continue Reading
-
Tip
10 Jun 2020
How security teams can prevent island-hopping cyberattacks
Learn how to prevent island-hopping cyberattacks to keep hackers from gaining the confidence of a phishing victim who could then accidentally commit corporate financial fraud. Continue Reading
-
News
06 Apr 2020
Zoom takes new security measures to counter 'Zoombombing'
Zoom has implemented two key security and privacy measures in order to counter 'Zoombombing.' One enables passwords in meetings by default, while the second creates waiting rooms. Continue Reading
-
Tip
26 Feb 2020
Stop business email compromise with three key approaches
Why is BEC such a popular attack? Because it works, unfortunately, tempting hackers with huge potential payouts. Learn how to keep them from lining their pockets with your assets. Continue Reading
-
Opinion
27 Jan 2020
Where does 1Password Enterprise Password Manager fit in the EUC landscape?
Reduce the chance of a breach due to poor password habits with password vaulting. Continue Reading
-
News
23 Jan 2020
AWS leak exposes passwords, private keys on GitHub
UpGuard discovered a public GitHub repository that contained sensitive AWS customer data, including passwords, authentication tokens and private encryption keys. Continue Reading
-
News
13 Dec 2019
Google expands multiple Chrome password protection features
Chrome's updated, built-in protections are intended to help users protect their passwords and data against malware, data breaches and phishing sites, according to the company. Continue Reading
-
News
13 Dec 2019
RSA teams up with Yubico for passwordless authentication
RSA Security joined forces with Yubico to eliminate passwords within the enterprise. RSA's Jim Ducharme explains what it will take to the reach the 'last mile' of the pursuit. Continue Reading
-
Feature
18 Nov 2019
IAM-driven biometrics in security requires adjustments
IAM is foundational to cybersecurity, but the latest systems use biometrics and other personal data. Learn how to cope with the resulting compliance and privacy issues. Continue Reading
-
Tip
18 Nov 2019
Biometric data privacy, ethical questions complicate modern IAM
Use of biometrics in IAM systems may help secure company systems and data, but it also raises privacy issues. Here's how to keep both your security and ethical standards high. Continue Reading
-
Opinion
29 Oct 2019
How to go passwordless if not all your apps support modern authentication standards
We want to eliminate passwords ASAP, unfortunately, some older apps can stand in the way of progress—thankfully, some identity providers devised solutions. Continue Reading
-
Opinion
17 Oct 2019
Okta competing with Microsoft, Google, and others in passwordless offerings
While giants Microsoft and Google try leading the passwordless charge, Okta also plans to help organizations cut down on password use. Continue Reading
-
Tip
09 Oct 2019
Top Office 365 MFA considerations for administrators
A complex password only goes so far to stop a breach. Implementing multifactor authorization can help, but make sure the product you select fits your current and future needs. Continue Reading
-
Opinion
09 Oct 2019
How far is Google going in eliminating passwords?
We looked at Microsoft, let’s see how a couple other vendors are doing as well, starting with Google. Continue Reading
-
News
25 Sep 2019
OneLogin releases Chrome extension combating password reuse
OneLogin said its new tool is capable of discovering phishing websites and does not store users' passwords. Instead, it uses hash analysis to identify reused and weak passwords. Continue Reading
-
Opinion
24 Sep 2019
When will we finally ditch passwords? Here’s Microsoft’s 4-step plan
Let’s be honest, passwords suck, and vendors are working to eliminate or reduce our reliance on them—what is Microsoft’s roadmap? Continue Reading
-
News
24 Jul 2019
Citrix breach blamed on poor password security
An investigation revealed the password spraying attack that gave malicious actors access to Citrix systems resulted in only some business documents being stolen. Continue Reading
-
Tip
19 Jul 2019
Construct a solid Active Directory password policy
Most user authentication still relies on a strong password to keep attackers at bay. Here's how to keep your guard up without adding to your administrative workload. Continue Reading
-
News
19 Jul 2019
Enzoic for Active Directory brings continuous password protection
Updates to Enzoic for Active Directory include NIST-compliant Continuous Password Protection, checking passwords against a live database of common or vulnerable passwords. Continue Reading
-
Opinion
20 Jun 2019
Despite recent vulnerabilities, you shouldn’t stop using hardware security keys like Yubikey
No solution is perfect, but these hardware security keys remain an awesome option in keeping accounts secure from attackers! Continue Reading
-
News
13 Mar 2019
Citrix data breach report raises more questions
Citrix disclosed a potential data breach blamed on poor password security, but a lack of details about the attack leaves only unconfirmed claims from a single cybersecurity firm. Continue Reading
-
News
01 Mar 2019
Research sparks debate over password manager vulnerabilities
Researchers found several popular password managers expose master passwords in system memory, but experts recommend consumers and enterprises should still use the products. Continue Reading
-
Answer
19 Feb 2019
How did Signal Desktop expose plaintext passwords?
The Signal Desktop application was found to be making decryption keys available in plaintext. Learn how the SQLite database and plaintext passwords were put at risk. Continue Reading
-
News
15 Feb 2019
Ponemon study: Poor password practices remain rampant
More than two-thirds of employees share passwords with colleagues, research reveals. Experts sound off on what's fueling poor password practices and how to solve the problem. Continue Reading
-
Answer
14 Feb 2019
How can credential stuffing attacks be detected?
Credential stuffing attacks can put companies that offer online membership programs, as well as their customers, at risk. Find out how to proactively manage the threat. Continue Reading
-
Tip
11 Jan 2019
CIAM vs. IAM: The key differences 'customer' makes
Find out everything you need to know about the nuances that differentiate customer IAM from traditional IAM so that you can implement the CIAM system at your organization. Continue Reading
-
Feature
03 Dec 2018
IAM system strategy identifies metrics that work for business
Security professionals are using identity and access management systems to track metrics on password resets, onboarding and offboarding, and employee retention and customer service. Continue Reading
-
Podcast
20 Nov 2018
Risk & Repeat: Who's to blame for bad passwords?
This week's Risk & Repeat podcast discusses whether users are responsible for creating and reusing weak passwords or if the technology systems themselves are to blame. Continue Reading
-
Tip
16 Nov 2018
Create and enforce a password policy across the enterprise
There are new-fangled approaches to enterprise security, such as biometric authentication, but tried-and-true passwords are still critical to protecting an organization's network. Continue Reading
-
Answer
11 Oct 2018
How did Netflix phishing attacks use legitimate TLS certificates?
Hackers can imitate the design and domain name of popular sites like Netflix to steal credentials. Expert Michael Cobb explains how these Netflix phishing attacks work. Continue Reading
-
News
25 Sep 2018
Hardcoded credentials continue to bedevil Cisco
Cisco hit by yet another new hardcoded credentials flaw, the latest in a long line of such flaws since last year, this time in its video surveillance manager appliance. Continue Reading
-
Answer
07 Sep 2018
How does a WDC vulnerability put hardcoded passwords at risk?
Several vulnerabilities were found in Western Digital's My Cloud, including one that affects the default hardcoded password. Learn how to avoid such risks with expert Nick Lewis. Continue Reading
-
Feature
24 Aug 2018
Weighing privileged identity management tools' pros and cons
Products that help security pros manage access privileges are essential to IT security. Learn how to evaluate market offerings and acquire the best for your company. Continue Reading
-
Answer
21 Aug 2018
LG network: How can attackers use preauthenticated commands?
A vulnerability was found in the LG network involving remote preauthenticated commands. Learn how researchers created a malicious password to show how it issue can be abused. Continue Reading
-
Opinion
15 Aug 2018
With Pwned Passwords API, annoying password policies can finally go away
Update password policies at your company by following the 2017 NIST regulations—improving user experience drastically, and the Pwned Passwords API can help. Continue Reading
-
Guide
09 Aug 2018
Advances in access governance strategy and technology
Recent advances in IAM policy, strategy and technology are raising companies' ability authenticate identities and manage access to their systems and data. Continue Reading
-
Feature
16 Jul 2018
Seeking the Truth from Mobile Evidence
In this excerpt from chapter 19 of Seeking the Truth from Mobile Evidence, author John Bair discusses Android user enabled security in terms of passwords and gestures. Continue Reading
-
Opinion
02 Jul 2018
Yubikey is hot in the security space, so we tested the consumer experience
How easy is it to use Yubikey and would I recommend it? Continue Reading
-
Answer
26 Jun 2018
How can a hardcoded password vulnerability affect Cisco PCP?
Cisco patched a hardcoded password vulnerability found in their PCP software. Learn how the software works and how attackers can exploit this vulnerability with Judith Myerson. Continue Reading
-
Answer
14 Jun 2018
Golden SAML: How can it abuse SAML authentication protocol?
CyberArk researchers created an attack called Golden SAML that uses Mimikatz techniques and applied it to a federated environment. Learn more about the attack with Nick Lewis. Continue Reading
-
Tip
30 Mar 2018
Imran Awan case shows lax security controls for IT staff
Investigations into the conduct of the IT staff of the House of Representatives raised alarms. Kevin McDonald explains what we can learn from the case of Imran Awan. Continue Reading
-
News
21 Mar 2018
Firefox bug exposes passwords to brute force -- for nine years
A Firefox bug exposing the browser's master password to a simple brute force attack against inadequate SHA-1 hashing is still on the books after nearly nine years. Continue Reading
-
News
29 Dec 2017
Browser login managers allow tracking scripts to steal credentials
News roundup: Login managers enable the exposure of user credentials in over 1,000 websites. Plus, Mozilla patched a critical vulnerability in Thunderbird, and more. Continue Reading
-
Tip
14 Dec 2017
Cryptographic keys: Your password's replacement is here
As passwords become targets of phishing attacks, password management has become increasingly difficult. Expert Nick Lewis explains how cryptographic keys could replace passwords. Continue Reading
-
News
12 Dec 2017
1.4 billion stolen credentials found on dark web
A massive repository containing more than 1.4 billion stolen credentials was found on the dark web with special features for malicious actors. Continue Reading
-
Security School
11 Dec 2017
CISSP Domain 5: Cloud identity management and access control
From cloud identity and access management to physical access control, this study guide will help you review key concepts from Domain 5 of the CISSP exam. Continue Reading
-
Answer
07 Nov 2017
How should security teams handle the Onliner spambot leak?
A security researcher recently discovered a list of 711 million records used by the Onliner spambot. Expert Matt Pascucci explains what actions exposed individuals should take. Continue Reading
-
Tip
25 Oct 2017
How to change an ESXi password for vCenter
A forgotten ESXi root password can stop you in your tracks. Avoid dodgy quick fixes and learn the proper way to recover a root password for vCenter-connected and stand-alone hosts. Continue Reading
-
Answer
02 Jun 2017
How can the latest LastPass vulnerabilities be mitigated?
More LastPass vulnerabilities were recently discovered. Expert Matthew Pascucci explains the flaws, as well as what enterprises can do to mitigate the threat they pose. Continue Reading
-
Tip
10 May 2017
Avoid privilege creep from the software development team
Too often, privilege creep occurs via the software development team, the result of pressure to update or launch apps. Learn what tools and tactics can counter privilege creep. Continue Reading
-
Opinion
19 Apr 2017
Start redrawing your identity and access management roadmap
Securing enterprise systems and information requires an IAM roadmap that helps you identify effective policy, technology and tools. Continue Reading
- 30 Jan 2017
-
Podcast
12 Jan 2017
Risk & Repeat: CES Cybersecurity Forum tackles passwords, IoT
In this episode of SearchSecurity's Risk & Repeat podcast, editors highlight the topics discussed at the CES Cybersecurity Forum, as well as new technologies showcased at the event. Continue Reading
-
Tip
03 Jan 2017
FIDO authentication standard could signal the passing of passwords
The FIDO authentication standard could eventually bypass passwords, or at least augment them, as government and industry turns to more effective authentication technologies. Continue Reading
-
Answer
02 Jan 2017
What new NIST password recommendations should enterprises adopt?
NIST is coming up with new password recommendations for the U.S. government. Expert Michael Cobb covers the most important changes that enterprises should note. Continue Reading
-
Tip
24 Oct 2016
Preventing privilege creep: How to keep access and roles aligned
Privilege creep can result in the abuse of user access and security incidents. Expert Michael Cobb explains how enterprises can keep user roles and privileges aligned. Continue Reading
-
Feature
05 Feb 2016
Windows 10 Wi-Fi Sense for hotspot sharing: Is it safe?
Microsoft's Windows 10 Wi-Fi Sense was designed to make hotspot sharing easy, but experts debate if the security risks are real and whether the new feature offers substantial benefits and relative safety. Continue Reading
-
News
28 Aug 2015
Internet of Things security concerns prompt boost in IoT services
News roundup: As Internet of Things concerns become an enterprise reality, one vendor is quick to offer IoT services to combat the risks. Plus: 1% of users create 75% of the risk; Target pays up; Apple devices improperly secured in the enterprise. Continue Reading
-
Answer
30 Jan 2014
Preventing plaintext password problems in Google Chrome
Plaintext passwords are risky business. Michael Cobb discusses what Google says about the Chrome password vulnerability and potential exploits. Continue Reading
-
Tip
07 Jul 2009
Making the case for enterprise IAM centralized access control
Central access to multiple applications and systems can raise the level of security while getting rid of lots of red tape, so how do you go about creating central access management? In this tip, IAM expert David Griffeth explains the steps. Continue Reading
-
Tip
11 Nov 2008
ID and password authentication: Keeping data safe with management and policies
Learn how to improve authentication and avoid password hacking with management policies that enforce password expiration, length and complexity requirements. Continue Reading
-
Tip
19 May 2008
Ophcrack: Password cracking made easy
Scott Sidel examines the open source security tool Ophcrack, a password cracking tool aimed at ensuring the strength of corporate passwords. Continue Reading
-
Answer
13 Jan 2008
What are the pros and cons of using stand-alone authentication that is not Active Directory-based?
Password managment tools other than Active Directory are available, though they may not be the best access control coordinators. Continue Reading
-
Answer
10 Oct 2006
How to safely issue passwords to new users
In this Ask the Expert Q&A, our identity management and access control expert Joel Dubin offers tips on safe password distribution, and reviews the common mistakes that help desks and system administrators make when issuing new passwords. Continue Reading