It’s Password Day, and this is as good a time as any to mention that Britton White and I have been collaborating on some research expanding on his investigation into infostealers. We will be reporting on that work in the near future, hopefully. But in the meantime, Britton posted this today about something he found:
The machine in use by this person and/or their family contains 531 sites where credentials were saved in the browser(s), so it’s no wonder they were saving their usernames and #passwords for everything.
Now think about all the work they’ll be undertaking shortly to change all their passwords…..that is if they’re unaware of the gravity of their situation.
Their router login, turbotax, Imprivata, VMware, and other logins included.
But to add to the gravity of the situation, this person is the server engineer for a children’s hospital.
Britton, being one of the truly good guys in this world, is reaching out to this person, but think of all the many others who are totally unaware that they have been compromised or how the compromise of their personal devices could potentially compromise their employer’s system.
Britton and I will have more on this issue, including some thoughts for the public and some issues for employers trying to balance data security with workplace privacy. But for today, Password Day, would this be a good time for you to at least change a few passwords for your most important accounts?
But if you are thinking that Google’s new Assistant can be the solution to your problems because it notifies you and enables you to quickly changed stored passwords that have been in a reported breach, well, I have some sad news for you: Britton and I will be explaining why what may appear to be a boon is actually a big part of the problem.