Engadget: Ring doorbell flaw lets others watch after password changes. “You’d expect a smart doorbell to instantly boot out everyone the moment you change your password, but that isn’t necessarily the case. The Information has learned that the app for Ring’s video doorbell wasn’t forcing users to sign-in after password changes, regardless of how much time had elapsed — in one case, an ex-partner had been watching the camera for months. Ring said it started kicking people out in January, after receiving word of the incident, but that window of opportunity still lasted several hours in an Information test.”
NBC Los Angeles: Twitter Tells All Users to Change Their Passwords as Security Precaution. “Twitter on Thursday advised all users to change their passwords after the company discovered a bug that stored unmasked passwords. The social media company said that said the bug was fixed and that there was “no indication of breach or misuse by anyone.” It urged its more than 300 million users to change their passwords on all services that use the same password.”
ERR: Searchable database of 215,000 leaked Estonian account passwords now online. “This data has been half-publicly making the rounds online for some time, however one activist has finally sorted the accounts by country and made them available on one website in order to draw internet users’ attention to the security of their passwords.”
BetaNews: Password manager RememBear exits beta with official launch. “After around six months in beta — and two years in the making — the team behind the TunnelBear VPN tool has officially launched its password manager, RememBear. Vying for attention in an already somewhat crowded marketplace, RememBear takes a leaf out of TunnelBear’s book, and concentrates on offering functionality that’s simple to use.”
Krebs on Security: Don’t Give Away Historic Details About Yourself. “Social media sites are littered with seemingly innocuous little quizzes, games and surveys urging people to reminisce about specific topics, such as ‘What was your first job,’ or ‘What was your first car?’ The problem with participating in these informal surveys is that in doing so you may be inadvertently giving away the answers to ‘secret questions’ that can be used to unlock access to a host of your online identities and accounts.” Or be like me and make up phony answers to your secret questions.
Ars Technica: Thousands of servers found leaking 750MB worth of passwords and keys. “In a blog post published late last week, researcher Giovanni Collazo said a quick query on the Shodan search engine returned almost 2,300 Internet-exposed servers running etcd, a type of database that computing clusters and other types of networks use to store and distribute passwords and configuration settings needed by various servers and applications. etcd comes with a programming interface that responds to simple queries that by default return administrative login credentials without first requiring authentication. The passwords, encryption keys, and other forms of credentials are used to access MySQL and PostgreSQL databases, content management systems, and other types of production servers.” womp womp.
Bleeping Computer: Firefox Master Password System Has Been Poorly Secured for the Past 9 Years. “For at past nine years, Mozilla has been using an insufficiently strong encryption mechanism for the ‘master password’ feature. Both Firefox and Thunderbird allow users to set up a ‘master password’ through their settings panel. This master password plays the role of an encryption key that is used to encrypt each password string the user saves in his browser or email client.”