Tag: password manager

Categories
Mobile Syrup

Password manager Bitwarden adds passwordless login option

Password manager Bitwarden is the latest to join the passwordless craze. Bitwarden users can start using the mobile app to authenticate themselves when accessing their web vault.

Bitwarden detailed the new feature in a blog post (via Android Police), which appears as a button on Bitwarden’s log-in page. Clicking the ‘Log in with device’ button sends a prompt through the Bitwarden app on your smartphone where you can authenticate the request and unlock your vault. Of course, before this will work, users need to download the Bitwarden mobile app (available free on iOS and Android), log into the app, and turn on ‘Approve login requests’ in the security section of the app’s settings.

Moreover, Bitwarden recommends extending the passwordless experience to your smartphone by enabling things like ‘Unlock with Biometrics,’ which lets people open their vaults using their smartphone’s biometric security, such as scanning a fingerprint or using Face ID.

For those wondering how Bitwarden keeps everything secure without needing a password, the company details several security practices at work in passwordless authentication. That includes end-to-end encryption (E2EE), a unique fingerprint phrase that identifies the login request, and support for two-factor authentication (2Fa). Plus, Bitwarden says the feature will only work with recognized devices, such as a browser you’ve logged into before.

Bitwarden is the latest password manage to offer a passwordless method of logging in. Toronto-based 1Password has added passwordless login option recently. Microsoft has been pushing passwordless for a while, and earlier this year Apple and Google committed to supporting passwordless login as well.

In other Bitwarden news, the password manager recently announced it would be available in the DuckDuckGo browser for Mac. You can learn more about that here.

Source: Bitwarden Via: Android Police

Categories
Mobile Syrup

Toronto-based 1Password adds new secure file sharing feature

Toronto-based AgileBits rolled out new functionality to its 1Password password manager that makes it easier for users to securely share documents.

1Password detailed the new feature in a blog post (via The Verge). It’s effectively an expansion of the secure password-sharing feature released last fall. 1Password users can share documents or files stored in the app to other 1Password users, or people who don’t use 1Password.

To share a file, 1Password users must create a secure link to it. The Verge describes it as similar to sharing a Google Drive file, but with more control over who can access the file. 1Password lets users restrict file access through expiry dates, or make people verify their email address with a one-time code to gain access.

For recipients, the process is as simple as clicking a link. It opens a ‘share.1password.com’ page where recipients can access the file or information shared with them. 1Password even shared an example file so people can see how it looks.

Overall, it seems like a pretty handy addition to 1Password. It should be a lot easier to share sensitive documents and files with friends and family. Or, just a great way to securely share your Netflix password with someone (despite how much the company wishes you’d stop sharing your password).

You can learn more about 1Password’s file-sharing features here.

Images credit: 1Password

Source: 1Password Via: The Verge

Categories
Mobile Syrup

Several LastPass users reported login attempts using their correct passwords

LastPass, one of the more well-known and popular password managers available, is seeing several reports of attempted log-ins with users’ correct master passwords.

For those unfamiliar with LastPass or password managers in general, they typically require users to have a primary or master password that unlocks their password vault, which contains the passwords for all their other accounts. Although that may sound like a recipe for disaster, password managers allow people to use randomly generated passwords for all their accounts, meaning you only need to remember one really strong password for your password manager instead of hundreds of mediocre passwords (or worse, the same password reused).

Reports were first spotted on the ‘Hacker News’ forum by AppleInsider (via Android Police). The reports explain that LastPass informed users about blocked login attempts that originated from other parts of the world, often from Brazil. According to the LastPass emails, these login attempts include correct passwords, but were blocked because of the unusual geographic location.

Interestingly, LastPass’ owner, LogMeIn, says there’s no indication that its servers were hacked. You can read the full statement provided to Android Police below:

“LastPass investigated recent reports of blocked login attempts and determined the activity is related to fairly common bot-related activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services. It’s important to note that we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure.”

Passwords could have come from third-party breaches, phishing scams

However, the attempted logins appear to be coordinated, which begs the question: where did these malicious actors get the passwords from? LogMeIn points the finger at third-party breaches, which could be a possibility if LastPass users reused their passwords from other online accounts.

Other theories posited on the Hacker News forum include a LastPass autofill exploit from 2015, while others suspect the LastPass users who reported the problem may have been phished. Another possibility is that LastPass’ old, discontinued forum, which apparently required people to log in with their LastPass master password, could be to blame.

Whatever the reason, if you use LastPass, you may want to take a few steps to protect yourself. First, it’s probably a good idea to change your master password. And while you’re doing that, enable two-factor authentication (2FA) if you don’t have it on already. Finally, if you don’t use LastPass anymore — which may apply to several people since LogMeIn effectively killed the free version in 2021 — you should take the time to delete your account. That should prevent any malicious actors from potentially gaining access to any passwords still saved to LastPass.

Source: Hacker News Via: AppleInsider, Android Police

Categories
Mobile Syrup

Microsoft wants you to ditch your password

Big tech really wants you to ditch your password.

Back in 2019, I spoke with a Google product manager about the problem with passwords. He urged people to ditch passwords in favour of better authentication methods, noting that alternate systems are “probably your safest bet.” Fast forward to now, and it seems Microsoft is also on board with dropping passwords.

In an announcement post, Microsoft unveiled that it’s adding a new option to remove the password from your Microsoft account. People who do so can use other methods to sign in, such as Microsoft’s Authenticator app, Windows Hello, a security key or a verified code sent to your phone or email.

However, it’s worth noting that you could effectively avoid using your Microsoft Account password before now — you just couldn’t remove it entirely. I haven’t ditched my password, but I also haven’t typed it in years. Instead, whenever I need to sign in to my Microsoft Account, I use the Authenticator app. I grab my phone, authenticate myself, and I’m logged in and ready to go. It’s fast, simple and convenient.

Of course, not everyone is on board with ditching passwords just yet. Some things still require a password, and some people feel more secure having one. Microsoft also detailed some of the reasons why passwords aren’t that secure — most of it echoes other things I’ve written about passwords, including that Google story mentioned up top.

Passwords aren’t secure because people suck at making them

First, there’s the human nature side of it. Most people still create their own passwords, and to remember those passwords, most people also use the same (or very similar versions of the same) password across several sites and services. Moreover, people often pick passwords that are easy for them to remember. The problem, however, is if a hacker guesses your password for one site or breaches the security of and steals passwords for a site, there’s a good chance that they will be able to use that password to log into other websites.

Hackers have plenty of other ways to get passwords too. Phishing attacks, for example, seek to trick people into giving up their log-in information. One way to do this is to create a fake login page for an app like Netflix, then send people an email saying something like, “There’s an issue with your billing info, sign in to fix it.” If the email looks real enough, people will click through the link to the website, type in their password, and inadvertently give up their log-in.

If you’re interested in going passwordless with your Microsoft Account, you can do so by heading to ‘account.microsoft.com,’ signing in and clicking ‘Advanced Security Options.’ Under ‘Additional Security,’ look for ‘Passwordless Account’ and select the option to turn it on. If the option isn’t there, you may need to wait a bit as Microsoft continues the rollout over the next few weeks. And, you can always switch back if you don’t like it. You can learn more about passwordless Microsoft Accounts here.

If you still need a password, get a password manager to boost your security

Of course, if you’re concerned about your other online accounts and they don’t offer passwordless options like Microsoft, there are other steps you can take to improve security. For example, using a password manager to create long, unique, impossible-to-guess passwords for each website can go a long way to improving your online security. You can learn more about some password managers at the links below:

Other options that can help include two-factor authentication (2FA). It’s not a perfect system, but adding another layer of security can help keep your accounts secure even if someone gets your password.

Source: Microsoft