A Week in the News: Password Reuse Not All Bad?

Making a case for password reuse, Google hiring hackers to fix the Internet, Apple bolsters security across its services with strong Crypto, plus various fixes and more.

Heresy!

Color me skeptical, but a collaborative group of researchers from Microsoft and Carleton University in Canada claimed in a research paper that password reuse isn’t a mortal sin but rather a necessary strategy for managing large numbers of online accounts. At first glance, their findings seem to flaunt conventional wisdom. Ultimately though, what the researchers are really advocating for is a system of tiered passwords, where you share passwords, but save the strongest ones for the most sensitive accounts and use weaker ones for less important accounts.

There’s no doubt that having a unique password for every single online account is the most secure option available. However, generating new passwords for every login is tedious and difficult to sustain.

Password management tools, the researchers claim, aren’t perfect either. The reason for that – as you might imagine – is essentially that such tools offer a single access point that could in turn give an attacker full access to all of a user’s credentials.

I’d be lying if I told you I had a unique password for every single online account. However, I definitely recommend strong, unique passwords for any account associated with finance or particularly sensitive information. As for password management tools, they definitely offer better protection than most of us can offer ourselves.

The move represents a serious barrier for attackers and others attempting to spy on those transmissions.

Project Zero

Google has been putting together a crack team of hackers tasked with rooting out vulnerabilities in third party software and other elements of the Internet that effect their customers and ultimately their business. When the team finds bugs, they will report them to the relevant vendors, help those vendors fix the problems, and publish their findings. The team is called Project Zero.

“We’re not placing any particular bounds on this project and will work to improve the security of any software depended upon by large numbers of people, paying careful attention to the techniques, targets and motivations of attackers,” wrote Chris Evens, a long time Chrome security engineer and the head of Project Zero. “We’ll use standard approaches such as locating and reporting large numbers of vulnerabilities. In addition, we’ll be conducting new research into mitigations, exploitation, program analysis—and anything else that our researchers decide is a worthwhile investment.”

Crypto Apple

Apple implemented some big time Crypto this week when it quietly began encrypting virtually all of the email flowing in and out of its servers for its iCloud.com, mac.com and me.com domains. The move represents a serious barrier for attackers and others attempting to spy on those transmissions.

As Threatpost editor Dennis Fisher noted, this is no small feat:

“Apple’s move to use TLS encryption on its email domains is a major change, as it’s done at the server level and doesn’t require that users do anything on their end to improve security. Email encryption on the desktop is a notoriously painful process and is only effective on an individual basis. Having a provider of Apple’s size implement encryption on a large scale can make a major difference against well-financed attackers. Using encrypted email on an individual basis is seen as a good defense against some forms of targeted surveillance or attacks, but for large email providers such as Yahoo, Google or Apple, using encryption for communications with other providers can help protect large blocks of users.”

Fixes

Speaking of password management tools, LastPass, a popular, browser-based password management tool, fixed a pair of vulnerabilities. A knowledgeable attacker could have exploited the bugs to generate his or her own one-time password to access the victim’s account.

Google is changing its malware and phishing website warnings. Instead of a white warning on a red background, the entire page will be red, with a prominent X featured at the top of the display. Both the malware warning and the phishing warnings advise users that the site ahead may either try to install dangerous programs on your machine or trick you into giving up personal information.

Cisco patched a vulnerability in its wireless residential gateway product while Google issued an update to Chrome for Android resolving a URL spoofing issue.

Tips