Tootfinder

https://blog.danielh.cc/blog/passwords
“Please stop”
We replaced passwords with something worse

PSA #Tangerine now supports proper passwords, in case you didn't like your whole banking being protected by 6 digits
#banking

Dropbox says it will discontinue Dropbox Passwords, launched in 2020, on October 28 to focus on its core product, and recommends 1Password as a replacement (Richard Speed/The Register)
https://www.theregister.com/2025/07/30/dropbox_drops_dropbox_passwords/

Users left scrambling for a plan B as Dropbox drops Dropbox Passwords
: Read-only in weeks, deleted forever in months

No, Google did not warn 2.5 billion Gmail users to reset passwords
https://www.bleepingcomputer.com/news/technology/no-google-did-not-warn-25-billion-gmail-users-to-reset-passwords/

No, Google did not warn 2.5 billion Gmail users to reset passwords
Google has disputed a widely reported story about the company warning all Gmail users to reset their passwords due to a recent data breach that also affected some Workspace accounts.

Passwords and FIDO2 Are Meant To Be Secret: A Practical Secure Authentication Channel for Web Browsers
Anuj Gautam, Tarun Yadav, Garrett Smith, Kent Seamons, Scott Ruoti
https://arxiv.org/abs/2509.02289

Passwords and FIDO2 Are Meant To Be Secret: A Practical Secure Authentication Channel for Web Browsers
Password managers provide significant security benefits to users. However, malicious client-side scripts and browser extensions can steal passwords after the manager has autofilled them into the web page. In this paper, we extend prior work by Stock and Johns, showing how password autofill can be hardened to prevent these local attacks. We implement our design in the Firefox browser and conduct experiments demonstrating that our defense successfully protects passwords from XSS attacks and malic…

Keeping screens out of bedrooms, talking, and learning how to manage passwords together are three ways you can help your child build healthy and safe online habits.
https://theprivacydad.com/three-tips-for-parents-to-help-your-chi…

Done for today. I successfully disconnected one of my Google profiles from the third-party services I use. It took some time because I had to create many passwords and then disconnect.
I also deleted several services I no longer use and switched from Gmail to privacy-focused email addresses.
Continuing tomorrow.
#degoogle

Well, that's lovely...
#Security

Google Confirms Most Gmail Users Must Change Passwords
Do not let hackers gain access to your account.

Password compromise is no joke;
it leads to account compromise and that leads to, well, the compromise of most everything you hold dear in this technological-centric world.
It’s why Google is telling billions of users to replace their passwords with more secure passkeys.
It’s why the FBI is warning people not to click on links in SMS messages.
It’s why stolen passwords are up for sale, in their millions, on the dark web to anyone with the very little amount of cas…

16 Billion Apple, Facebook, Google And Other Passwords Leaked — Act Now
Change all your account passwords now — don’t wait: 16 billion credentials are confirmed as having been leaked.

@… I kind of agree. I don’t like that you have to have software that knows who you are to use the web (or a device that does, on the side). But I also don’t see any feasible alternative.
Shared passwords (which I believe are still the majority of them) are terrible. I think I am slightly on the side of DRM.

passwords for positive change
#inspiration #BeBetter
https://muz4now.com/2014/passwords-pos

passwords for positive change
Stan Stewart - @muz4now

Secure Password Generator Based on Secure Pseudo-Random Number Generator
Abel C. H. Chen
https://arxiv.org/abs/2509.02578 https://arxiv.org/pdf/2509.02578

Secure Password Generator Based on Secure Pseudo-Random Number Generator
In recent years, numerous incidents involving the leakage of website accounts and text passwords (referred to as passwords) have raised significant concerns regarding the potential exposure of personal information. These events underscore the critical importance of both information security and password protection. While many of these breaches are attributable to vulnerabilities within website infrastructure, the strength and security of the passwords themselves also play a crucial role. Conseq…

Es gibt anscheinend einen klitzekleinen #Datenreichtum, 16 Mrd. #Passwörter geleakt.

16 Billion Apple, Facebook, Google And Other Passwords Leaked — Act Now
Change all your account passwords now — don’t wait: 16 billion credentials are confirmed as having been leaked.

A Fuzzy Set-based Approach for Matching Hand-Drawing Shapes of Touch-based Gestures for Graphical Passwords
Adel Sabour, Ahmed Gadallah, Hesham Hefny
https://arxiv.org/abs/2507.22382

A Fuzzy Set-based Approach for Matching Hand-Drawing Shapes of Touch-based Gestures for Graphical Passwords
This paper presents a two-dimension fuzzy set based approach for matching touch-based gestures using fuzzy cued click point technique. The pro posed approach aims mainly to improve the acceptance of the most closed inac curate hand drawn gestures generated by the user compared with a predefined referenced gesture value that is stored in the user profile. Commonly, gestures are used in order to facilitate the interactive capabilities between humans and computerized systems. Unfortunately, most o…

BeCyberSmart: How Fast Can a Hacker Break YOUR Password? | Oberlin College and Conservatory
https://www.oberlin.edu/cit/bulletins/passwords-matter

Dropbox telling people they have 3 months to get off Dropbox Passwords is pretty weak sauce.

Quantum Adiabatic Generation of Human-Like Passwords
Sascha M\"ucke, Raoul Heese, Thore Gerlach, David Biesner, Loong Kuan Lee, Nico Piatkowski
https://arxiv.org/abs/2506.08917

Quantum Adiabatic Generation of Human-Like Passwords
Generative Artificial Intelligence (GenAI) for Natural Language Processing (NLP) is the predominant AI technology to date. An important perspective for Quantum Computing (QC) is the question whether QC has the potential to reduce the vast resource requirements for training and operating GenAI models. While large-scale generative NLP tasks are currently out of reach for practical quantum computers, the generation of short semantic structures such as passwords is not. Generating passwords that mi…

Zeroize: The Tiny and Memory-Safe Rust Crate - Sensitive Data in Memory: A Hidden Threat
In a secure environment, one of the most overlooked threats is the presence of sensitive data in memory, such as passwords, tokens, cryptographic keys, or card numbers. Even when using Rust, where we emphasize ownership and thread safety, there's another crucial question to consider: What remains in the heap or stack after we no longer need it?
🛡️

Zeroize: The Tiny and Memory-Safe Rust Crate
Sensitive Data in Memory: A Hidden Threat In a secure environment, one of the most...

Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
https://techcrunch.com/2025/07/02/data-breach-reveals-catwatchful-stalkerware-spying-on-thousands-android-phones/

Exclusive: Data breach reveals Catwatchful 'stalkerware' is spying on thousands of phones
The spyware operation's exposed customer email addresses and passwords were shared with data breach notification service Have I Been Pwned.

DHS Secretary Kristi Noem fires 24 FEMA IT staffers, including the CIO and CISO; DHS says they failed security protocols and let hackers access FEMA networks (David DiMolfetta/Nextgov/FCW)
https://www.nextgov.com/people/2025/08/noe

Noem terminates 24 FEMA workers for failing to address cyber vulnerabilities
An internal FEMA email obtained by Nextgov/FCW ordered all agency employees to change their passwords “due to recent cybersecurity incidents and threats.”

#Secure. Or not? This is the question! :) #security #software

Big password leak. Change your passwords for google, Facebook, GitHub, etc right now, and turn on 2FA

Forget password leaks, how about a website that has every combination of every 4-32 character passwords. (347,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 (or 347 novemdecillion))
https://solst-ice.github.io/every-pass…

Every Password
A searchable list of every possible password - scroll till you find a new favorite.

My whole extended family is using me as their Password Manager. Calling me for random passwords we've set up together ages ago. 🙈

Lawsuit says Clorox hackers got passwords simply by asking
https://www.reuters.com/legal/government/lawsuit-says-clorox-hackers-got-passwords-simply-by-asking-2025-07-22/

Overblown or not, it's always a good time to update your passwords. I just went through and did everything that would severely fuck my life https://flipboard.com/@gizmodo/tech-fknh6odjz/-/a-m0vsrs-YTqqjU9-Hb98ylg:a:1876139665-/0…

What We Know So Far About the Supposed 'Mother of All Data Breaches'
Some say more than 16.5 billion credentials are involved. One thing is for sure: the dark web is swimming in stolen data. Data breaches are so common …

> She explained, “I just need the paper. I need to write things down. [The iPad script] also has so many passwords and then I would have ADD and then do something else and then it would lock me out … it was so complicated. So I printed it.”
When actors bypass corporate controls to get their work done, it's a showbiz story.

'Andor' Star Stellan Skarsgård Was the Ultimate 'Star Wars' Script Rulebreaker
Co-stars Diego Luna and Adria Arjona reminisced about the lengths the cast went to learn their lines on the highly secretive Disney+ show.

Cool, Neuralink might soon be able to read passwords from your brain - what could possibly go wrong? https://www.nytimes.com/2025/08/14/science/brain-neuroscience-computers-speech.html NYT: For some patients, the 'inner voice' may soon be audi…

For Some Patients, the ‘Inner Voice’ May Soon Be Audible
In a recent study, scientists successfully decoded not only the words people tried to say but the words they merely imagined saying.

Hybrid Classical-Quantum Rainbow Table Attack on Human Passwords
MA. Khajeian
https://arxiv.org/abs/2507.14600 https://arxiv.org/pdf/…

Hybrid Classical-Quantum Rainbow Table Attack on Human Passwords
Passwords that are long and human-generated pose a challenge for both classical and quantum attacks due to their irregular structure and large search space. In this work, we present an enhanced classical-quantum hybrid attack tailored to this scenario. We build rainbow tables using dictionary-based password generation with transformation rules to better model real user behavior. These tables are then organized into buckets, enabling faster lookup and reduced space complexity. To perform quantum…

Sorry, but this was never going to last. Sharing passwords & now VPN-access to intl video catalogs.

☑️ Some UK users on r/YouTube report that VPNs are being blocked by the platform
https://twitter.com/Awk20000/status/1952425053813141666

yeet (@Awk20000) on X
Some UK users on the YouTube subreddit are reporting that their VPNs are being detected and blocked by the platform

Haptic-Based User Authentication for Tele-robotic System
Rongyu Yu, Kan Chen, Zeyu Deng, Chen Wang, Burak Kizilkaya, Liying Emma Li
https://arxiv.org/abs/2506.14116

Haptic-Based User Authentication for Tele-robotic System
Tele-operated robots rely on real-time user behavior mapping for remote tasks, but ensuring secure authentication remains a challenge. Traditional methods, such as passwords and static biometrics, are vulnerable to spoofing and replay attacks, particularly in high-stakes, continuous interactions. This paper presents a novel anti-spoofing and anti-replay authentication approach that leverages distinctive user behavioral features extracted from haptic feedback during human-robot interactions. To …

Cannon Fodder: wayward roofs
I deliberated for far too long there whether the plural was roof or rooves. I have played Cannon Fodder many times before. I think, but I can't actually remember, that I completed it on the Mega Drive; I certainly got pretty far, but without unearthing the cartridge (and the passwords in the manual) from my loft I can't be sure. I have also played it on an Amiga emulator, but my preferred method nowadays is via the GOG copy I bought for…

Make sure you check out today's Metacurity for the most critical infosec developments you should know, including
--US agency overseeing cache of nuclear weapons was breached in SharePoint attack,
--Funding for critical infrastructure cyber threat detection has expired,
--Iranians received Apple spyware warnings,
--OpenAI founder warns of AI fraud crisis,
--Clorox claims IT provider gave hackers employee passwords,
--Feds warn of Interlock ransomware.

US agency overseeing cache of nuclear weapons was breached in SharePoint attack
Funding for critical infrastructure cyber threat detection has expired, Iranians received Apple spyware warnings, OpenAI founder warns of AI fraud crisis, Clorox claims IT provider gave hackers employee passwords, Feds warn of Interlock ransomware, IVF records posted on dark web, much more

A Startup is Selling Data Hacked from Peoples’ Computers to Debt Collectors https://www.404media.co/a-startup-is-selling-data-hacked-from-peoples-computers-to-debt-collectors/

https://www.nextgov.com/people/2025/08/noem-terminates-24-fema-workers-failing-address-cyber-vulnerabilities/407807/
Noem terminates 24 FEMA workers for failing to address cyber vulnerabilities

Noem terminates 24 FEMA workers for failing to address cyber vulnerabilities
An internal FEMA email obtained by Nextgov/FCW ordered all agency employees to change their passwords “due to recent cybersecurity incidents and threats.”

Each week, Metacurity offers our free and paid subscribers a run-down of the best infosec-related long reads.
This week's selection covers
--A twisted tale of how two men tortured someone for his crypto account passwords,
--Russia's cyber sector supports Putin's Ukraine war,
--A brain-reading implant requires a password,
--Social media algorithms didn't cause America's woes,
--The internet is really bad for children,
--More
…

Best infosec-related long reads for the week of 8/9/25
A twisted tale of how two men tortured someone for his crypto account passwords, Russia's cyber sector supports Putin's Ukraine war, A brain-reading implant requires a password, Social media algorithms didn't cause America's woes, The internet is really bad for children, more

The Passwordless Authentication with Passkey Technology from an Implementation Perspective
Lien Tran, Boyuan Zhang, Ratchanon Pawanja, Rashid Hussain Khokhar
https://arxiv.org/abs/2508.11928

The Passwordless Authentication with Passkey Technology from an Implementation Perspective
With the rise of sophisticated authentication bypass techniques, passwords are no longer considered a reliable method for securing authentication systems. In recent years, new authentication technologies have shifted from traditional password-based logins to passwordless security. Among these, Time-Based One-Time Passwords (TOTP) remain one of the most widely used mechanisms, while Passkeys are emerging as a promising alternative with growing adoption. This paper highlights the key techniques u…

Detecting Hard-Coded Credentials in Software Repositories via LLMs
Chidera Biringa, Gokhan Kul
https://arxiv.org/abs/2506.13090 https://

Detecting Hard-Coded Credentials in Software Repositories via LLMs
Software developers frequently hard-code credentials such as passwords, generic secrets, private keys, and generic tokens in software repositories, even though it is strictly advised against due to the severe threat to the security of the software. These credentials create attack surfaces exploitable by a potential adversary to conduct malicious exploits such as backdoor attacks. Recent detection efforts utilize embedding models to vectorize textual credentials before passing them to classifier…

Detecting Hard-Coded Credentials in Software Repositories via LLMs
Chidera Biringa, Gokhan Kul
https://arxiv.org/abs/2506.13090 https://

Detecting Hard-Coded Credentials in Software Repositories via LLMs
Software developers frequently hard-code credentials such as passwords, generic secrets, private keys, and generic tokens in software repositories, even though it is strictly advised against due to the severe threat to the security of the software. These credentials create attack surfaces exploitable by a potential adversary to conduct malicious exploits such as backdoor attacks. Recent detection efforts utilize embedding models to vectorize textual credentials before passing them to classifier…

Towards Practical Data-Dependent Memory-Hard Functions with Optimal Sustained Space Trade-offs in the Parallel Random Oracle Model
Jeremiah Blocki, Blake Holman
https://arxiv.org/abs/2508.06795

Towards Practical Data-Dependent Memory-Hard Functions with Optimal Sustained Space Trade-offs in the Parallel Random Oracle Model
Memory-Hard Functions (MHF) are a useful cryptographic primitive to build egalitarian proofs-of-work and to help protect low entropy secrets (e.g., user passwords) against brute-forces attacks. Ideally, we would like for a MHF to have the property that (1) an honest party can evaluate the function in sequential time $Ω(N)$, and (2) any parallel party that evaluates the function is forced to lockup $Ω(N)$ memory for $Ω(N)$ sequential steps. Unfortunately, this goal is not quite achievable, so…