Tootfinder

If you're using an LLM to generate passwords, STOP. For one, your chat logs are a matter of record and are open to people within the company! For another, LLMs aren't smart and don't know what they're doing, so that password isn't guaranteed to be any good. Just use apg or something

Researchers from ETH Zurich have discovered serious security vulnerabilities in three popular, cloud-based password managers. During testing, they were able to view and even make changes to stored passwords.
https://ethz.ch/en/news-and-events/eth

Password managers less secure than promised
Researchers from ETH Zurich have discovered serious security vulnerabilities in three popular, cloud-based password managers. During testing, they were able to view and even make changes to stored passwords. 

Completely boring take on IT security in the age of AI-discovered security vulnerabilities: Everything in IT security that was a good idea before is still a good idea. When security updates are available, install them. Reduce attack surface, avoid unnecessary complexity. Don't reuse passwords.

New post: Bytekit: Generating Passwords (online)
#blog

"Snoopy", "Adolf" e "Password": le password del governo ungherese esposte online
Quasi 800 indirizzi e-mail del governo ungherese e le relative password stanno circolando online, rivelando vulnerabilitŠ di base nei protocolli di sicurezza dei ministeri coinvolti in attivitŠ classificate e sensibili.
Un’analisi di Bellingcat dei dati della violazione mostra che 12 dei 13 ministeri del governo sono stati colpiti, il che in alcuni casi ha rivelato le in…

‘Exploit every vulnerability’: rogue AI agents published passwords and overrode anti-virus software
https://www.theguardian.com/technology/ng-interactive/2026/mar/12/lab…

RE: https://vis.social/@infobeautiful/116420621554092188
PIN codes, like passwords and pass phrases, are impossible for a human to randomly create. If you want a secure code, generate it. Also: use a longer code if permitted. Don't use a date, sequence, o…

jeff deifik will speak on 'Cracking Passwords Like a Boss' as part of our Security track at SCaLE 23x. Full details: https://www.socallinuxexpo.org/scale/23x

It's downright weird that McDonald's is leading a campaign to advise us to use more secure passwords.
McDonald's is not lovin' your bigmac, happymeal, and mcnuggets passwords
https://www.theregister.com/2026/02/02/mcdonalds_password_advice/…

McDonald's is not lovin' your bigmac, happymeal, and mcnuggets passwords
: Your favorite menu item might be easy to remember but it will not secure your account

I've got 1237 entries in my #KeePassXC storage at the moment.
Don't tell me you're remembering all your #passwords and still have a unique one (without obvious patterns) per service. 😜
Use an open source

🤡 No joke – this is literally how the industry works:
1. Company sends me an NDA 📝
2. Then they email me login credentials – plain text, no temporary link, nothing… and four people in CC ✉️
Honestly, the fact that like 99% of companies still send passwords via email is insane. You can only imagine what other security issues they have.
And when they eventually get hacked, they’ll tell their insurance:
"We did everything in our power to… blah blah blah…"

The UK says Russia-linked hacking group APT28 is hijacking popular internet routers from MikroTik, TP-Link, and others to steal credentials and redirect traffic (Ryan Gallagher/Bloomberg)
https://www.bloomberg.com/news/articles/20

149 Million Usernames and Passwords Exposed by Unsecured Database
https://www.wired.com/story/149-million-stolen-usernames-passwords/

149 Million Usernames and Passwords Exposed by Unsecured Database
This “dream wish list for criminals” includes millions of Gmail, Facebook, banking logins, and more. The researcher who discovered it suspects they were collected using infostealing malware.

So what’s good alternative to Firefox?
I need something for Windows and iOS and it should sync passwords. Ideally not Chromium-based and obviously no AI slop.

TIL:
If you have your Samsung T7 Touch SSD encrypted with a password (and maybe a fingerprint) ..and you want to remove the encryption (or delete/change password/fingerprint).... Your device (MS Win) has to be connected to the internet. Otherwise the neccessary software just hangs after unlocking the SSD.
WTAF Samsung. For real.
This lead me to two questions:
1. What are the odds that passwords and fingerprints are casually transfered to some Samsung service? (Rhetor…

Threats Against Routers
"The FBI, NSA, and co-sealing agencies encourage SOHO router users to change default usernames and passwords, disable remote management interfaces from the Internet, update to latest firmware versions, and upgrade end-of-support devices. Users should also carefully consider certificate warnings in web browsers and email clients."

Moltbot is like giving some stranger you can't really trust access to all your data, communications, passwords, your computer etc.. It is maybe fascinating but just don't do it..... The large AI players can already build this for a long time but there is a reason they are not doing it....
https://www.

Clawdbot sheds skin to become Moltbot, can't slough off security issues
: The massively hyped agentic personal assistant has security experts wondering why anyone would install it

Just in time for Valentine's Day, you can share your password with your partner, but I would reconsider if I were you. It's OK to keep something private.
Bitwarden has launched a new system called ‘Cupid Vault’ that allows users to safely share passwords with trusted email addresses.

Bitwarden introduces ‘Cupid Vault’ for secure password sharing
Bitwarden has launched a new system called 'Cupid Vault' that allows users to safely share passwords with trusted email addresses.

Wow, so 1Password has increased its already expensive services. I have only used it for work/volunteer related stuff. I've been using Apple's Keychain and now Passwords App for years.
If you're on a Mac/iOS system and want to switch, 9to5 has a good run down on how to export your 1Password database and bring it into Passwords.
if you've never used a Password Manager, you really really should.
#Security #Passwords #Apple #1Password #PasswordManager
https://9to5mac.com/2026/02/25/heres-how-to-switch-from-1password-to-apple-passwords/?utm_source=dlvr.it&utm_medium=mastodon

#PasswordManagers less secure than promised
https://ethz.ch/en/news-and-events/eth-news/news/2026/02/password-managers-less-secure…

#LeftWordle
Would you like to track streaks and stats in Left Wordle across multiple devices?
Would you use a Passkey for this purpose? Passkeys would allow users to stay anonymous (or provide an email for recovery if desired), and they wouldn’t require sensitive info (passwords) to be stored on the server.
The option to play and store data in your browser, the way it works toda…

What Are Passkeys? What Is a Passkey? Passkey Authentication Explained
Discover passkeys: passwordless authentication using public key cryptography and biometrics. Learn how they work, their benefits, and who's adopting them.

@… when you switched to Chrome, part of the simplicity is that tou are using 1Password and not Apple Passwords, right?
I might have missed it when you said what password manager you’re using and I don’t want to mix it up with the reading of ads

Not sure if this is a hot take, but: I believe most WiFi passwords serve no meaningful purpose and are actively harmful to security.
You all know how this works. You're in a hotel, at a conference, in a restaurant, etc., you want to connect to the wifi. There's probably a sign somewhere with the password.
First of all, it's annoying that you have to figure out where to find it, ask around if anyone knows it.
🧵

Before you head out for the weekend, don't miss today's Metacurity for the crucial cybersecurity developments you should know, including
--A database with 149 million usernames and passwords was exposed on the internet,
--Venezuelan nationals who stole cash from ATMs using malware will be deported from US,
--FBI asked Microsoft to unlock encrypted laptops,
--Under Armour is investigating massive data breach,
--Tech investors want the US government to prob…

A database with 149 million usernames and passwords was exposed on the internet
Venezuelan nationals who stole cash from ATMs using malware will be deported from US, FBI asked Microsoft to unlock encrypted laptops, Under Armour is investigating massive data breach, Tech investors want the US government to probe S. Korea's treatment of Coupang following data breach, much more

Not sure if this is a hot take, but: I believe most WiFi passwords serve no meaningful purpose and are actively harmful to security.
You all know how this works. You're in a hotel, at a conference, in a restaurant, etc., you want to connect to the wifi. There's probably a sign somewhere with the password.
First of all, it's annoying that you have to figure out where to find it, ask around if anyone knows it.
🧵

Metacurity operates outside the infosec news echo chamber to track patterns, context, and connections that most other sources miss.
Check out today's issue for the most critical developments you should know, including
--Defense companies face a 'relentless barrage' of cyberespionage, Google,
--Fugitive sentenced to 2 years for pig butchering money laundering,
--Coupang data breach scope was more massive than reported,
--Discord to demand face scans or…

Defense companies face a 'relentless barrage' of cyberespionage, Google
Fugitive sentenced to 2 years for pig butchering money laundering, Coupang data breach scope was more massive than reported, Discord to demand face scans or government IDs, Hacktivist scraped 500k payment records from stalkerware apps, Promotei botnet still excels at stealing passwords, much more

🤖 AI-native #CMS: built-in #MCP server, CLI & Agent Skills — let agents handle migrations, schema changes and content updates programmatically.
🔑 Passkey auth by default — no passwords, no brute-force vectors. Role-based access for admins, editors,
authors & contributors.
📦 Im…

Can anyone share & teach me how to use #macOS Keychain to manage software keys?
Applications like Bitwarden, 1Password, etc. offer specific categories in their apps to manage licenses and keys.
#macOS Passwords offers nothing like that. Obviously.

But why actively harmful?
You're conditioning people to treat a "password" not like a secret. If you missed the sign at the entrance, you'll ask the next person for the wifi password. And, of course, they'll usually give it to you.
That's obviously not how you should treat passwords.
We call a thing a "password" if it serves a security purpose, locks access to something that's for you, not for random other people. We probably shouldn&…

We're doing a #livestream today around a first look at our User Management library here at Duende. Think of it as an alternative to #aspnetcore Identity. It let's you manage users (shocking I know 😅), and their profile, passwords, auth mechanisms, and more.

Someday, I will send out a Metacurity email that doesn't get clipped by Gmail for having too much information, but that day is not today.
Check out today's intensely packed Metacurity that covers a host of critical infosec developments, including
--Iran-linked hackers target critical infrastructure controls, risking disruption and sabotage,
--Anthropic's Glasswing could upend bug discovery and fixes,
--GRU-linked hackers infiltrate routers to steal email a…

Iran-linked hackers target critical infrastructure controls, risking disruption and sabotage
Anthropic's Glasswing could upend bug discovery and fixes, GRU-linked hackers infiltrate routers to steal email account passwords, Pro-Iranian group claims Chime and Pinterest cyberattacks, ICE confirms use of Paragon spyware, Hacking and spying services sold on Telegram to harass women, much more

Moltbot is like giving some stranger you can't really trust access to all your data, communications, passwords, your computer etc.. It is maybe fascinating but just don't do it..... The large AI players can already build this for a long time but there is a reason they are not doing it....
https://www.

something I didn't need for a Sunday morning: my #Ubuntu 25.10 media machine will no longer login via gdm3 since the last upgrade, I can use a console to run gnome-shell -wayland without issue, but the gdm3 (even re-installed) just returns to the list of users and after the first attempt will no longer offer to enter passwords and hangs.
I did inadvertently leave my keyboard unlocked and two cats in the house left unattended, but it was logged into the guest account, so I doubt they did this 😅
Curiously their snap-edition "firefox -kiosk <url>" now also hangs.
I don't want to spend too much on this: as soon as no.4 son drops by to unlock the broken Win10 and fetch his stuff, I will wipe the thing to install Debian 13 anyway.

One machine decided literally today when booting that it's bit-defender key was invalidated and refused to boot.
I thought bit-defender was a password manager? No idea why the machine has decided secure boot changed and it needed this key which nobody has ever heard of, even me a computer professional.
I think maybe Bit Defender is a boot-disk encryption system not a password manager after all?
It suggests checking with your Microsoft account to get the key. Nobody thinks they have a microsoft account, even though they do. Nobody knows any passwords for them.
Password reset, sure, but nobody knows their email password either. They never use email.
Google once lied to them that their password was wrong, and made them change it. But banned them from changing it to any old one that they actually know. It must be a new one they don't know. They wrote some down, but probably these are old ones and there's several different ones written down.
We get through all that with recovery methods for email address, luckily one phone was still logged in to read a reset email.
This bit defender key is attached to the account and I have to hand-type a 32 digit number from one screen to another.
My god.
If you only have one computer, then fuck you I guess.

California city reports ransomware attack as LA transit agency finds ‘unauthorized activity’
https://therecord.media/california-city-reports-ransomware-attack-la-metro

California city reports ransomware attack as LA transit agency finds ‘unauthorized activity’
Foster City warned that it is possible the hackers obtained public information, urging anyone that has done business with the city to change personal passwords and take measures to protect personal data.