{"id":5477,"date":"2014-07-18T10:00:08","date_gmt":"2014-07-18T14:00:08","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=5477"},"modified":"2020-02-26T10:53:35","modified_gmt":"2020-02-26T15:53:35","slug":"password_reuse_not_bad","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/password_reuse_not_bad\/5477\/","title":{"rendered":"A Week in the News: Password Reuse Not All Bad?"},"content":{"rendered":"<p><strong>Heresy!<\/strong><\/p>\n<p>Color me skeptical, but a collaborative group of researchers from Microsoft and Carleton University in Canada claimed in a research paper that <a href=\"https:\/\/threatpost.com\/researchers-say-password-re-use-isnt-all-bad\/107265\" target=\"_blank\" rel=\"noopener nofollow\">password reuse isn\u2019t a mortal sin<\/a> but rather a necessary strategy for managing large numbers of online accounts. At first glance, their findings seem to flaunt conventional wisdom. Ultimately though, what the researchers are really advocating for is a system of tiered passwords, where you share passwords, but save the strongest ones for the most sensitive accounts and use weaker ones for less important accounts.<\/p>\n<p>There\u2019s no doubt that having a unique password for every single online account is the most secure option available. However, generating new passwords for every login is tedious and difficult to sustain.<\/p>\n<p>Password management tools, the researchers claim, aren\u2019t perfect either. The reason for that \u2013 as you might imagine \u2013 is essentially that such tools offer a single access point that could in turn give an attacker full access to all of a user\u2019s credentials.<\/p>\n<p>I\u2019d be lying if I told you I had a unique password for every single online account. However, I definitely recommend strong, unique passwords for any account associated with finance or particularly sensitive information. As for password management tools, they definitely offer better protection than most of us can offer ourselves.<\/p>\n<div class=\"pullquote\">The move represents a serious barrier for attackers and others attempting to spy on those transmissions.<\/div>\n<p><strong>Project Zero<\/strong><\/p>\n<p>Google has been putting together a crack team of hackers tasked with rooting out vulnerabilities in third party software and other elements of the Internet that effect their customers and ultimately their business. When the team finds bugs, they will report them to the relevant vendors, help those vendors fix the problems, and publish their findings. <a href=\"https:\/\/threatpost.com\/google-project-zero-may-prove-a-big-win-for-security\/107206\" target=\"_blank\" rel=\"noopener nofollow\">The team is called Project Zero<\/a>.<\/p>\n<p>\u201cWe\u2019re not placing any particular bounds on this project and will work to improve the security of any software depended upon by large numbers of people, paying careful attention to the techniques, targets and motivations of attackers,\u201d wrote Chris Evens, a long time Chrome security engineer and the head of Project Zero. \u201cWe\u2019ll use standard approaches such as locating and reporting large numbers of vulnerabilities. In addition, we\u2019ll be conducting new research into mitigations, exploitation, program analysis\u2014and anything else that our researchers decide is a worthwhile investment.\u201d<\/p>\n<p><strong>Crypto Apple<\/strong><\/p>\n<p>Apple implemented some big time Crypto this week when it quietly began encrypting virtually all of the email flowing in and out of its servers for its iCloud.com, mac.com and me.com domains. The move represents a serious barrier for attackers and others attempting to spy on those transmissions.<\/p>\n<p><a href=\"https:\/\/threatpost.com\/apple-implements-email-encryption-for-icloud\/107285\" target=\"_blank\" rel=\"noopener nofollow\">As Threatpost editor Dennis Fisher noted, this is no small feat:<\/a><\/p>\n<p><em>\u201cApple\u2019s move to use TLS encryption on its email domains is a major change, as it\u2019s done at the server level and doesn\u2019t require that users do anything on their end to improve security. Email encryption on the desktop is a notoriously painful process and is only effective on an individual basis. Having a provider of Apple\u2019s size implement encryption on a large scale can make a major difference against well-financed attackers. Using encrypted email on an individual basis is seen as a good defense against some forms of targeted surveillance or attacks, but for large email providers such as Yahoo, Google or Apple, using encryption for communications with other providers can help protect large blocks of users.\u201d<\/em><\/p>\n<p><strong>Fixes<\/strong><\/p>\n<p>Speaking of password management tools, <a href=\"https:\/\/threatpost.com\/lastpass-fixes-a-pair-of-security-flaws\/107183\" target=\"_blank\" rel=\"noopener nofollow\">LastPass<\/a>, a popular, browser-based password management tool, fixed a pair of vulnerabilities. A knowledgeable attacker could have exploited the bugs to generate his or her own one-time password to access the victim\u2019s account.<\/p>\n<p><a href=\"https:\/\/threatpost.com\/google-set-to-change-malware-phishing-warnings-following-study\/107217\" target=\"_blank\" rel=\"noopener nofollow\">Google is changing its malware and phishing website warnings<\/a>. Instead of a white warning on a red background, the entire page will be red, with a prominent X featured at the top of the display. Both the malware warning and the phishing warnings advise users that the site ahead may either try to install dangerous programs on your machine or trick you into giving up personal information.<\/p>\n<p><a href=\"https:\/\/threatpost.com\/cisco-patches-wireless-residential-gateway-vulnerabilities\/107280\" target=\"_blank\" rel=\"noopener nofollow\">Cisco patched a vulnerability<\/a> in its wireless residential gateway product while <a href=\"https:\/\/threatpost.com\/chrome-for-android-update-fixes-critical-url-spoofing-bug\/107288\" target=\"_blank\" rel=\"noopener nofollow\">Google issued an update to Chrome for Android<\/a> resolving a URL spoofing issue.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>Recapping the weeks #security headlines with @TheBrianDonohue of the @Kaspersky Daily:\u00a0<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2F2jZ7&amp;text=Recapping+the+weeks+%23security+headlines+with+%40TheBrianDonohue+of+the+%40Kaspersky+Daily%3A%C2%A0\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>Making a case for password reuse, Google hiring hackers to fix the Internet, Apple bolsters security across its services with strong Crypto, plus various fixes and more.<\/p>\n","protected":false},"author":42,"featured_media":5478,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5],"tags":[105,261,22,187,398,753,121,268],"class_list":{"0":"post-5477","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"tag-android","9":"tag-encryption","10":"tag-google","11":"tag-passwords","12":"tag-patches","13":"tag-project-zero","14":"tag-updates","15":"tag-vulnerabilities"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/password_reuse_not_bad\/5477\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/password_reuse_not_bad\/3775\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/password_reuse_not_bad\/3673\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/password_reuse_not_bad\/4160\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/password_reuse_not_bad\/4413\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/password_reuse_not_bad\/4702\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/password_reuse_not_bad\/4315\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/password_reuse_not_bad\/4702\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/password_reuse_not_bad\/5477\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/password_reuse_not_bad\/5477\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/android\/","name":"Android"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5477","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/42"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=5477"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5477\/revisions"}],"predecessor-version":[{"id":33245,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5477\/revisions\/33245"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/5478"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=5477"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=5477"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=5477"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}