PasswordBox remembers and automatically enters all your passwords across all your platforms. It signs you into websites, logs you into apps, and enables you to securely share your digital keys with friends and loved ones — all via an app for your smartphone (Android and iOS) and a Chrome browser extension for your desktop.

“We’re focusing on one thing: one-click login everywhere,” PasswordBox chief executive officer and six-time serial entrepreneur Dan Robichaud told me yesterday. “You can share accounts with your friends or a spouse, and we used advanced machine learning to support automatic login to about 90 percent of sites – including banking sites with two-step logins.”

Source: PasswordBox

PasswordBox’s mobile apps offer a start screen to access all the secures sites you need to access.

PasswordBox has been in invite-only beta for months but already has 425,000 users. Its app for iOS just launched on Friday last week, and it has already surpassed Gmail as the top app in the Productivity category. But, Robichaud told me, the company wants to scale carefully, so it’s limiting access via a reservation-based system. The first million users will get staged access along with their free-for-life accounts.

(The company started reservations this morning, and 77,000 have already been snapped up.)

When you’re using PasswordBox online, it automatically learns your passwords as you enter them on websites. But you can also set it to create its own passwords — long, difficult, impossible-to-remember — that it then uses, which means that you can have unique passwords for every site and service you access. That’s important because if Yahoo or Netflix or Facebook have a security breach and your password is stolen, it will only affect that service and not your entire digital life.

All you have to remember is your PasswordBox main password.

“Your passwords are encrypted on your computer,” Robichaud says. “If you forget your master password, we can’t send it to you, so you need to remember it.”

The company is launching a fingerprint device later this year with built-in biometrics that will let you back in. This will allow you to access your passwords with just your fingerprint, Robichaud told me.

For mobile, PasswordBox’s app on Android will sign you in to apps with login requirements and use a built-in browser to access all your sites from the app — with your passwords being automatically entered. For iPhone, PasswordBox can’t yet sign you into apps although it can launch them and automatically put your password in the clipboard for you to paste in. And like on Android, PasswordBox on iPhone asks you to use its built-in browser to access sites securely.

Robichaud started the company after his mother spent a summer scanning family pictures and uploading them to Picasa. She then had a car accident — fortunately, not severe — but it made him think, what happens to our digital life if we die?

The original PasswordBox was built around that scenario, but Robichaud quickly discovered that in-case-you-die-buy-our-app was not “too hot with consumers.” So the company pivoted to manage all your passwords on all your platforms. But it kept the social side, which means that you can share your passwords with a spouse, friend, or relative.

And the social side is still important for PasswordBox marketing and monetization as well:

“Our model is like Dropbox,” Robichaud told me. “We’re free up to 25 passwords, or you can invite 25 friends to get it for free, or you can win free VIP access in a daily draw. Otherwise, you can pay $1/month for access.”

Image credits: PasswordBox

The password, as we know it, isn’t the most effective or user-friendly way to secure our information. Not only are the good ones tough to create and remember, but there’s not all that much preventing an eager hacker from finding clever ways of getting around them.

As a result, there’s a lot of brain juice being poured trying to figure out how to replace our crummy passwords. One of the more interesting ideas came from Motorola advanced technologies head Regina Dugan, who this week showed off a pair of technologies that could eventually render the password obsolete.

One idea, dubbed the Motorola Pill, is a stomach acid-powered pill that sends out an 18-bit authentication signal when you try to log into a service, saving you the trouble of remembering and typing a password. Motorola calls it the “authentication vitamin.”

While the idea sounds interesting, the problem with the pill solution is that you have to swallow it. Perhaps easier to, er, stomach, is Motorola’s take on the password tattoo, which also features a chip with your login credentials. Developed by electronics company MC10, this system’s approach to the password is a lot like the Motorola Pill: Rather than forcing you to remember a password, the tattoo turns your entire body into a password.

Google is already experimenting with facial recognition on Android.

“This isn’t stuff that is going to ship anytime soon. But it is a sign of the new boldness inside Motorola,” Motorola CEO Dennis Woodside said at the D11 conference this week. (“Bold” is a common word used to describe Motorola these days.)

Yet another take on the post-password future comes from Fast Identity Online (FIDO), a security alliance that includes companies like Google, PayPal, and Lenovo. Like the Motorola and MC10 technologies, FIDO’s system is all about biometrics like fingerprint scanners and voice and facial recognition, among other, more conventional technologies.

While many of these systems are already in use (facial recognition on Android, fingerprint scanners on Lenovo computers, etc), what’s been missing so far is a system that ties all of these biometrics into one cohesive whole. And that’s exactly what FIDO wants to do.

Of course, anytime there’s talk of digital tattoos and ingestible chips, you inevitably edge into worries over a Philip K. Dick-level dystopia, where people voluntarily opt-in to the most effective government/corporate surveillance tool every created. That’s not a future I’m particularly eager to see made real.

Still, a biometric take on passwords seems like the most sensible way to fix the system, which we all put a lot of faith in despite the fact that we don’t entirely understand it. While the password has served us fairly well so far, it’s clearly time for something new and different. I’m eager to see what we come up with.

At this point, pretty much everyone has heard that they suck at making passwords, and sadly, Google agrees. So it released a public service announcement-type video explaining how to do build a strong password.

You’ve likely heard Google’s tips before, but they’re good for a refresher. The company stresses that you use a different password for each “important service.” We’ve been saying this for years — tier your passwords. Have the top tier include accounts such as your e-mail, bank account, and Facebook account. Yes, Facebook is particularly important nowadays — nearly anything an identity theft would want to know about you other than your bank account and social security number is on it. Then come up with a different password for each one and stick to it. Don’t share.

Google also says the longer the password the better, though it notes that a password like, “My name is Inigo Montoya. You killed my father. Prepare to die!” is probably no good since everybody knows that saying (right?). Google also recommends using a password manager since the reason why most people share passwords among their accounts is fear of forgetting them.

Of course, it’s good for Google if you get better at passwords too. It makes its own services such as Gmail and YouTube much more secure and reduces the collective migraine the Google security must have while trying to protect your accounts.

Cloud identity management company Ping Identity says that between those six or more corporate passwords and all the personal passwords we maintain, the average person has to remember 15 passwords. That’s probably a recipe for disaster, given the total information onslaught we face every day, which is why the majority of us — 61 percent — reuse passwords from site to site.

That’s what security companies call “password negligence,” and the results are costly.

Too many passwords and not enough memory contributes to 39 percent of all malicious hacking attacks, which can cost large enterprises $5.5 million each.

One solution, of course, is corporations requiring users to change their passwords every 30 to 60 days. That’s more secure, theoretically, but people often reuse an old password. Or, worse, if they’re worried they won’t be able to remember the new password, they may write it down.

The end result, unfortunately, can be less security than before the change.

All the data is below, in visual form:

photo credit: Simon Lieschke via photopin cc

July 9-10, 2013
San Francisco, CA

Tickets On Sale Now

It seems even Twitter is a little shaken up about the recent rash of major media account hacks. The company sent out a letter to publications saying it expects more hacks and provided tips on how to keep Twitter accounts safe.

In April, hackers broke into and tweeted from the Twitter accounts of CBS, NPR, and the Associated Press. The hackers posted messages that accused the U.S. government of “being in bed” with terrorists, and in the Associated Press’ case, faked an explosion at the White House.

That one bogus AP tweet caused the Dow Jones Industrial Average to drop 1 percent almost immediately, highlighting just how much people trust Twitter as a breaking news resource. Undoubtedly this puts a lot of pressure on Twitter, and it’s trying to make sure publications know that this is a problem that isn’t going away just yet.

“We believe that these attacks will continue and that news and media organizations will continue to be high value targets to hackers,” said in the memo, which was posted by Buzzfeed.

A group called the Syrian Electronic Army, a proregime hacking collective, took credit for the hacks, though they are far from the only people trying to get attention through these means. The hackers, according to Twitter, are mostly able to get access through phishing attempts alone. These are tricks that hackers use to get regular people to simply give up the login information.

Twitter urges companies not to share their passwords in email or over the Internet and to limit the amount of people who have access to the account.

It also seems to be grasping at straws, telling publications to designate one computer from which people tweet. Those who tweet from this computer, however, should not access the Internet in other ways (such as for email) lest they expose themselves to malware. It seems a little outlandish for the pace of breaking news today. “Hold on guys, just filed my story. Need to ask Jimmy down at the copy desk to tweet it out next time he’s on the Twitter laptop.”

The company also asks publications to use two-factor authentication on their email addresses and to otherwise use strong passwords. Twitter specifically called out LastPass and 1Password as good methods of storing individual passwords for all your accounts (since often a good password for every site you use is hard to remember).

Of course, we’ve heard the rumors that Twitter is working on its own two-factor authentication, and we’re happy about that. But as PhishMe chief executive Aaron Higbee explained shortly after the AP incident: two-factor authentication won’t always save you. Businesses really need to put their employees through some kind of phishing trainings to show them what a phishing attack looks like, how convincing they really are, and best ways to avoid them.

Check out the letter:

Please help us keep your accounts secure. There have been several recent incidents of high-profile news and media Twitter handles being compromised. We believe that these attacks will continue, and that
news and media organizations will continue to be high value targets to
hackers.

What to be aware of:

These incidents appear to be spear phishing attacks that target your
corporate email. Promoting individual awareness of these attacks
within your organization and following the security guidelines below
is vital to preventing abuse of your Twitter accounts.
Take these steps right now:

Change your Twitter account passwords. Never send passwords via
e-mail, even internally. Ensure that passwords are strong- at least 20
characters long. Use either randomly-generated passwords (like
“LauH6maicaza1Neez3zi”) or a random string of words (like “hewn cloths
titles yachts refine”).

Keep your email accounts secure. Twitter uses email for password
resets and official communication. If your email provider supports
two-factor authentication, enable it. Change your e-mail passwords,
and use a password different from your Twitter account password.

Review your authorized applications. Log in to Twitter and review the
applications authorized to access your accounts. If you don’t
recognize any of the applications, contact us immediately by emailing
______@twitter.com.

Help us protect you. We’re working to make sure we have the most
updated information on our partners’ accounts. Please send us a
complete list of all accounts affiliated with your organization, so
that we can help keep them protected.

Build a plan. Create a formal incident response plan. If you suspect
your organization is being targeted by a phishing campaign or has been
compromised by a phishing attack, enact the plan.

Contact us immediately at ______@twitter.com with the word “Hacking”
in the subject. Include copies of suspected phishing emails.

If you lose access to an account, file a Support ticket and email the
ticket number to ______@twitter.com.

Moving Forward:

Review our security guidelines to help make sure your accounts are as
secure as possible.

Talk with your security team about ensuring that your corporate email
system is as safe as possible. A third-party provider that allows for
two-factor authentication might be a safer solution.

Strong security practices will reduce your vulnerability to phishing.
Consider the following suggestions:

Designate one computer to use for Twitter. This helps keep your
Twitter password from being spread around. Don’t use this computer to
read email or surf the web, to reduce the chances of malware
infection.

Minimize the number of people that have access. Even if you use a
third-party platform to avoid sharing the actual Twitter account
password, each of these people is a possible avenue for phishing or
other compromise.

Check for signs of compromise. Checking your email address and
authorized apps weekly or monthly can help detect unauthorized access
and address the problem before access is abused.

Double-check the email address associated with your Twitter accounts:

https://twitter.com/settings/account

Review the apps authorized to access your accounts:

https://twitter.com/settings/applications

Change your password regularly. Changing your Twitter password
quarterly or yearly can reset the clock if a password has leaked.

Using a Password Manager integrated into your browser can help prevent
successful phishing attacks.

Third-party solutions such as 1Password or LastPass, as well as the
browser’s built-in password manager, will only auto-fill passwords on
the correct website. If the password manager does not auto-fill, this
might indicate a phishing attempt.

Password managers make it much easier to use a very strong password.
Very difficult passwords will discourage memorization, which will
greatly reduce the chances of being phished.

Be certain to set a master password, since otherwise passwords may be
stored unprotected.
Don’t hesitate to email us if you need assistance.

Owl image via Shutterstock

July 9-10, 2013
San Francisco, CA

Tickets On Sale Now

When hackers compromised the Associated Press’s Twitter account yesterday, they showed just how much damage one can do with a few scary tweets.

Now, Twitter is finally making it harder for that to happen again. The company is working on a two-factor authentication system for Twitter accounts, which should, in theory, make it harder for hackers to break into them, as Wired reports.

Twitter’s reply? “We have nothing to announce at this time,” the company tells VentureBeat.

Here’s how it the system would work: Right now when you log into your Twitter account from a new computer or device, Twitter treats that device like any other you’ve used — you just log in and start using the service. With two-factor authentication, that process gets a bit more complicated: Soon, when you try to log in on a new device, Twitter will also send to your phone a random code, which must be entered on you new device before you’re able to use Twitter.

Basically, what two-factor authentication does is add a second layer of security: Hackers may get a hold of your password, but it won’t do them much good if they don’t also have your phone.

While two-factor authentication is new to Twitter, Facebook, Google, and, most recently, Microsoft all already offer it. It’s not perfect, but then again, no security measure really is.

Sometimes we all need a quick refresher on where to start when it comes to protecting our identities online, lest we get burned.

We’ve all heard of Mat Honan, the Wired reporter who had his digital life destroyed by hackers last year. F-Secure, a Finnish security company, created an infographic about his experience and provide tips on how to avoid making the same mistakes he did.

Of course, the focus here is all on the password — that lock that seems so easily picked. Since before Honan’s story got huge recognition, the security industry has called the password the “Achilles’ Heel” of security. In lieu of a better solution, F-Secure’s emphasize that two-factor authentication is the best way to put more obstacles in the way of your cyber assailants.

The second piece of advice may come as a surprise: lying. We’re all taught not to lie, but lying on your security questions may actually help keep the walls of your accounts standing. The answers to most of the traditional security questions — What’s your dog’s name? What’s your mom’s maiden name? What’s your paternal grandmother’s name? — can easily be found on social media profiles.

Which leads to an interesting last point: You need to get a little narcissistic. How? By Googling yourself and really going deep into those search results. Opt-out of personal listings websites like Spokeo and the White Pages. See what other types of website might have your profile pictures from social sites, or taken your Tumblr or blog posts without permission. You never really know where people are accessing little bits and pieces about you until you try to access that same information.

Check out the infographic below for a quick refresh on how to start protecting yourself:

Hacked image via Shutterstock

How many times have you been told never to write your passwords down? What if your passwords never had to leave your brain — ever? A team at the University of California at Berkeley may have found a way to make “pass-thoughts” commercially accepted.

Pass-thoughts are thoughts that a headset records through brainwaves. The computer learns what your individual brainwaves are like and then identifies you. Traditionally, these brainwaves, called electroencephalograms (EEGs), are collected through expensive and sometimes invasive devices, so the pass-thought growth has been severely stunted.

“No one wants to install invasive probes under their skull every time they check their email!” Berkeley’s school of information said in a blog post.

But professor John Chuang found that using new and less powerful EEG-reading devices could make the process much easier — and more adoptable. Chuang and his team started experimenting with the Neurosky MindSet, an EEG reader that looks like a normal Bluetooth device and can connect to a computer wirelessly. It costs around $100. The headset only measures a “single-channel EEG signal,” that of your left brain. The team was worried that this signal wouldn’t be strong enough for the computer to learn an individual’s brainwave patterns, but as it turns out, it works.

Though $100 might be steep for some, this might be one of the more promising uses of biometrics in authentication simply because it doesn’t require very expensive technology that you might see in retina scanning.

In order for the computer to learn your signals, you must think of one pass-thought for your account. In its tests, the team asked groups to think about moving their fingers up and down, singing a specific song, and acting out a sporting activity such as swinging a golf club. Participants were also asked to choose a color and then count objects of that color in a provided video. The team found that people were more willing to use the pass-thoughts system when they enjoyed the thought they had to repeat for their “password.” Most enjoyed counting colored objects and singing a specific song.

Kid idea image via Shutterstock

A Google developer is celebrating an Apple success today. That is, the iPhone maker has finally enabled HTTPS for all of its App Store today, fixing a number of vulnerabilities the Google developer discovered and reported.

Elie Bursztein discovered and reported the issue to Apple in “early July,” according a blog post by the developer. He said that by not having HTTPS enabled across of all of the network traffic from Apple’s App Store, it opened itself (and its customers) up to a number of attacks. This includes password stealing, tricking a user to download an unwanted app, preventing app downloads or app updates, and stealing information about what apps are on a device.

An attacker only needs to be on the same network as the person who is using the App Store. From there, they can intercept the communications between the device and the App Store and insert their own commands, achieving the desired trickery. In the case of stealing a person’s Apple ID password, the attacker would only need to insert a fake prompt for the password when the person boots up the App Store. They are then tricked into thinking that opening the App Store is what caused the password prompt, and thus trust it.

Check out the video below to see Bursztein demonstrate this attack.

Apple, according to Bursztein, has finally turned on HTTPS, veritably plugging up these holes that fuel these attacks as well.

Usually, the Android system is the one dinged with criticisms about security. According to a recent study by security research firm F-Secure, 72 percent of mobile malware can be attributed to Android. But research such as Bursztein’s shows that nothing is really 100 percent safe, not even iOS.

hat tip The Verge; App Store image via Brusztein’s YouTube

Do you know how many accounts you have with various websites and online services?

The answer is probably no, and that is why you — yes, you — are wide open to losing personal information.

Not knowing what data you have out there is a dangerous game. If your accounts share any common data at all, hackers who get into one of them can leverage that account to get into others. Shared passwords, shared secret answers for requesting password resets, even basic data like your address and social security number can be lurking on little-used accounts you haven’t logged into for months. Each one is a potential target.

That’s why the first step to increasing your security is to do a personal survey of all your online accounts, which at this point, you unfortunately have to do manually. Just going through your email and to see who is pushing you marketing material is a good way to get started.

If you’re like me, the number of accounts you have is far higher than you’d expect. I expected to find 20 accounts in my name; instead, I found 114.

That’s a lot of personal information I didn’t know about floating around the web. Indeed, LastPass, an online password manager, told me that the average LastPass account holds an average of 100 accounts.

“I probably have at least 150 accounts that I regularly use at least once or twice a year. I think it’s a massive problem,” said Shane Green, the chief executive officer at Personal, in an interview with VentureBeat. “We have literally infinite pieces of information about us spread out all over the Internet.”

Personal is one of Silicon Valley’s answer’s to poor account security and password management. The company offers a service to store all of your login credentials. Each credential is individually encrypted and accessible only by you — not even Personal can see your information. That means instead of 150 accounts, you only have to worry about one: Your Personal account.

The company recently released a feature called Fill-It that could help you with account organization even further. The feature lets you take encrypted information, such as your credit card and billing address, out of Personal and share it temporarily with another site, such as Amazon.com. Amazon never gets to keep that information, but instead it is able to temporarily read your Fill-It, complete the transaction, and forget everything it ever saw.

If you’re not into the big, scary encryption, however, and want something a little simpler, some simple maintenance might be the answer. Spend two or three hours tracking down all your accounts. After you’ve written them all down, separate them into categories of importance based on the information they hold.

• Highest priority: Your bank accounts and email accounts.
• High priority: Any accounts that hold credit card information is also of high importance. If you have stored your credit card on your favorite retailer’s website — or any other site — include it here.
• Medium priority: Any social media, note-taking, or content-storing apps should also be closely watched.
• The bottom rung: Those one-off daily-deals sites you’ve never used, magazines, sites that you signed up for just to enter a contest, and the like.

After you’re done sorting, then purge, baby, purge! Get rid of anything you don’t use weekly: Delete the account outright, or log into the account and delete all the personal information you don’t feel comfortable with.

If you really want to dig in deep, research what happens to your data when you close an account so you know how long your information is sitting out there.

Then come up with a password scheme: unique, difficult passwords for each site in the top tier and shared, easier passwords for the bottom tiers. You can save these passwords on websites such as LastPass if you have a lot of high priority accounts. But remember that services like LastPass and OnePassword protect all your passwords by using a password. You can also sign up for Personal’s beta.

“I do, however, think protecting all your passwords with a password [if you use a complex password] is radically better than how people do it today,” said Personal’s Green.

So, get account counting, folks. And tell us in the comments how many you find.

Created by Meghan Kelly; Original login image via Shutterstock

Nok Nok, a company that wants to help organizations get rid of the traditional login and password, raised $15 million in its first round of funding today from DCM and Onset Ventures.

The company created a Unified Authentication Infrastructure that lets companies keep their systems safe by using the existing security products in different computers — such as desktops, servers, and mobile phones — to identify a user. For instance, you may have to swipe a finger or user your voice to prove you are you.

Logins and passwords are one of the most insecure parts of a company’s system. You need a login and password to prove that you are who you say you are. But with mobile technologies entering the workplace, as well as other Internet connected devices, employees are having to authenticate from many different access points. These add more attack vectors for someone trying to get into the system, so new forms of authentication, such as Nok Nok, are being introduced to the market.

But we haven’t yet gotten rid of the password because there simply hasn’t been something good enough to replace it. Nok Nok is working with a number of well-known organizations to put smart thinkers together to come up with the best ways to deal with this problem. Those organizations include PayPal’s electronic payment division, Lenovo, and Infineon Technologies AG.

Nok Nok was founded in November 2011 and is based in Palo Alto, Calif.

hat tip Reuters; Nok Nok image via Nok Nok

You’ve had grammar drilled into your head since elementary school, but when it comes to creating passwords, researchers are now saying to forget everything you’ve learned.

Institute of Software Research Ph.D student Ashwini Rao and her team discovered that using proper grammar in your password actually weakens their security. That is, grammar is easier to predict and leads us to use pronouns, adverbs, and adjectives, which are easier for password crackers to solve. Rao’s team ran a homemade password cracker — or a piece of software that attempts to guess your password — that was outfitted with grammar knowledge. According to a statement released by Rao’s team, the cracker beat out “state-of-the-art password crackers,” solving 10 percent of the 1,434 passwords they fed it.

Passphrases are the in vogue password of choice nowadays, which may lead people to start using sentences as their “phrases.” For instance, you might use “iambetterthansheis.” Rao says that pronouns are significantly easier to crack than nouns simply because there are far fewer of them. “Meghanpuzzleasstown” is likely to be much more difficult to crack.

“I’ve seen password policies that say, ‘Use five words,’” Rao said in a statement. “Well, if four of those words are pronouns, they don’t add much security.”

Stick with passphrases that are three or four words, that are completely random. Look around the room and start picking out words. But mindful not to pick words that go together. Researchers have already determined that passphrases might be weaker than expected, just because humans tend to put words together that, well, make sense. That is, you might think baseballdiamondhorse. Sure, a horse doesn’t have much to do with baseball or diamonds, but a baseball diamond is a thing that could easily be associated.

Rao will present further findings at the Association for Computing Machinery’s Conference on Feb. 20.

Password image via Shutterstock

If Google has its way, you could soon use an electronic ring rather than a password to login to websites.

As revealed by Wired today, Google VP of security Eric Grosse and engineer Mayank Upadhyay have outlined several ways to rethink the traditional password. The two are responding to the problem of password security. Passwords often don’t provide enough protection as we saw when tech journalist Mat Honan had many of his accounts hacked last August.

“Along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe,” Grosse and Upadhyay write in an upcoming paper for IEEE’s Security & Privacy magazine.

Two ways the Googlers imagine changing the password?

• A smartphone or smart-card ring that you wear that can authorize a new computer to give you access to certain sites or to the machine itself.
  
•  Plugging a customized USB drive into the computer while you are browsing that automatically logs you in to sites. When you take out the USB drive, the sites no longer give you access.

While these are just a few ideas, it’s hard to say if they will see the light of day soon or far in the future. In the meantime, security experts agree that you should turn on multi-factor authentication (if you’re offered the chance) to protect your accounts.

Ring over keyboard via Dmitriy Sudzerovskiy/Shutterstock

Cloud platform Heroku announced today that it has plugged up a hole in its account creation system that would have let hackers change existing account passwords and take control of any account.

Heroku first heard about the password vulnerability from security researcher Stephen Sclafani on Dec. 19. It says it released a patch the following day. Sclafani found the issue when he realized that Heroku used a two-step sign-in process. That is, you must first enter an email address and then wait for Heroku to send you an email with an activation link to set up your account.

“Multistep sign up processes are notorious for containing security vulnerabilities, and after taking a closer look at Heroku’s, I found that it was possible, given only their user ID, to obtain any user’s email address and to change their password,” said Scalfani in a blog post.

He discovered that a hacker need only play around with an HTTP POST request, or the part of the conversation between a website and a server that asks the server to store information, such as a new password. Before the patch, the server accepted any changes to an account’s password using this request, thus giving the person access to the account. Sclafani found a second vulnerability that let anyone use a similar “attack,” but on the password reset page. Instead of changing a specific account password, however, this vulnerability only let you change the password to a random account.

Patches for  both holes appeared Dec. 20, and Heroku says it could not find any instances where the vulnerability had been used in the past. It went on to say it is “extremely grateful” to him for practicing “responsible disclosure.”

“Despite finding these vulnerabilities I plan to host my startup at Heroku,” said Sclafani. “Security vulnerabilities happen and Heroku handled the reports well.”

You could classify Heroku as a platform as a service company. That is, it’s a cloud computing service that enables people build web applications in a variety of coding languages on top of Heroku’s development platform. It supports Ruby, Python, Node.js, and Java, among other languages and also supplies managing tools to keep your app afloat. The company was founded in 2007, and was bought by cloud customer relationship manager Salesforce in 2010.

Heroku image via igb/Flickr

As of the first of the year, it is officially illegal to request a Facebook password when interviewing prospective employees in California. A pair of bills signed by Gov. Jerry Brown in September took effect on Tuesday.

Brown signed the Assembly Bill 1844 and Senate Bill 1349, which “prohibit universities and employers from demanding your email and social media passwords,” as Brown said on his Facebook page. Earlier in 2012, people began calling out interviewers and institutions for asking for Facebook passwords as part of the review process. The process of screening a prospective student’s or employee’s social media accounts to decide whether or not they’d be a good addition to the institution is not a new one. But at least with this process, people felt as if their private information was still sacred.

When employers and universities request passwords, however, people undoubtedly feel as if saying no is a red flag and hand over the credentials.

As Wired notes, six states total have adopted similar legislation, as there isn’t federal regulation banning the password-requesting process yet. The states that join California include Illinois, Delaware, Maryland, Michigan, and New Jersey.

At the time, Facebook quickly responded saying that it did not approve of employers asking for social-media passwords and noted that people agree in the terms of service not to give out that information.

“As a user, you shouldn’t be forced to share your private information and communications just to get a job. And as the friend of a user, you shouldn’t have to worry that your private information or communications will be revealed to someone you don’t know and didn’t intend to share with just because that user is looking for a job,” said Facebook chief privacy officer, policy Erin Egan in a blog post. “That’s why we’ve made it a violation of Facebook’s Statement of Rights and Responsibilities to share or solicit a Facebook password.”

via Wired; Jerry Brown image via Jerry Brown 2010/Flickr

On Dec. 31, people around the world will share resolutions to lose weight, become more productive, quit smoking, and read more often. But how many of them will resolve to secure themselves online?

We’ve seen cyber-attacks continue to increase in the last few years, and it’s not just the big guys like Google and Dropbox getting attacked. One of the biggest mistakes a company, or person, can make is to assume that they are too small to be a target.

Individuals are at risk, too: Consider the sad example of Mat Honan, the Wired reporter whose iPad, iPhone, and Mac were wiped because a hacker liked his Twitter handle.

But “securing your digital life” probably sounds like a daunting task, so we’ve put together five ways to get you, personally, on the road to a security-conscious state of being.

See those update notifications? Start using them!

Hackers are like groundhogs. They like holes. Once they find a hole (or make a hole), they can crawl through your system, leaving backdoors and other points of entry to get back inside. But in order to do that, the hacker has to get in first.

When companies discover holes, it is their responsibility to patch them up and send out an update to their users. We do hear the stories of attacking companies such as Adobe for taking their time to patch known vulnerabilities, but it’s in a company’s best interest to fix the hole, protect its servers, and protect you.

The only problem is that so many people don’t actually update their software. And I don’t just mean the software on Macs or PCs but on phones as well. When you see that little update button come through, whether it’s on your computer or your smartphone, take the time and go through the process.

You can use tools such as Qualys’ Browser Check to make sure your browser and related plug-ins are up-to-date. Try it right now, you might be surprised to find that some of your plug-ins are old and insecure.

Clean out your Facebook profile and read through the company’s privacy documentation

Your Facebook profile is an identity thief’s goldmine. It has your birth date, oftentimes your full name, your family members (their full names), your hometown, your current town, the schools you went to, your job, any groups you’re a part of, your political stance, your sexual orientation, your relationship status, and your photos. Anyone trying to answer a security question to get access to your bank account could likely find the answer on your Facebook profile.

You need to make sure you know exactly what is on there, and get rid of anything you feel could be used against you. If you’ve got 4,000 photos, go through all of them. If your posts were inappropriate when you first opened up Facebook, delete them. But don’t forget that anything you delete off of Facebook stays on its servers for some time, though the social network will eventually delete it completely.

You should also be aware of its privacy policies too. Facebook isn’t necessarily an evil, data-mining, privacy-upending machine. It’s a business that is trying to make money, and your data just so happens to be what it makes money off of. Get acquainted with what the Statement of Rights and Responsibilities and the Data Use Policy say, and “like” Facebook’s Site Governance page. Unfortunately, you’re not going to be able to vote on any of the policy changes anymore, but at least you can get to know them and provide constructive feedback to Facebook when you feel violated.

Protect your phone and understand what your apps are doing

How many of you have the banking application Mint on your phone, but you don’t have a pin or pattern password protecting the phone itself? As Lookout Mobile recently said in a blog post, “Our smartphone knows more about us than perhaps anyone or anything in our lives.”

The Federal Communications Commission recently created a set of simple tips smartphone owners should check out based on the type of smartphone they have, whether that’s iOS, Android, Windows Phone, or even BlackBerry. The tips only scratch the surface of how you can protect your phone, but it puts you in a security frame of mind. Check them out and download some of the suggested security apps before 2013 — a year guaranteed to be filled with all new exploits and hacks — gets underway.

But protecting what’s on the phone isn’t always the problem. Sometimes it’s the apps you’ve already downloaded that are taking too much of your information. We saw this early in 2012 when Path, a social app, was found to be siphoning off users’ contacts without permission.

Bitdefender, an antivirus company, created the tool Clueful that tells you what your iOS apps are doing when you aren’t looking. I typed in Angry Birds Free to see what it does. Clueful reports that it tracks my usage, can display ads, could track my location, uses an anonymous identifier, and encrypts stored data. Good to know. If you’re trying to download an app you’re unsure of, however, it’s probably good to do a little more research.

Don’t be fooled by phishing scams and spoofed websites

One of the most successful ways hackers get your information is simply by tricking you into giving it up. Sometimes it’s a prince in Nigeria who is desperate to give you $50 million. Other times it’s less obvious, like an email faked to look like it’s coming from LinkedIn but is actually just trying to get your account information. When it comes to these “spoofed” emails, it’s always best to hover over any link in the email before clicking on it, so you can see the link’s true destination. (This only works on a computer with a mouse, not a phone or a tablet, obviously.)

You should also be very suspicious if a company is asking you for your username and password. Most companies guarantee that they will never ask you for a password or credit card information via e-mail.

But it’s not just emails that get spoofed. The websites that are often associated with those emails often take a digital polyjuice potion and pretend to be a trustworthy site as well. In order to catch these sites before you enter personal information, F-Secure‘s chief research office Mikko Hypponen suggests using Flag for Chrome or Flagfox for Firefox.

“It’s a handy extension which shows a flag in the URL bar of the browser, indicating the country where the website is hosted. This comes handy in more cases than you’d think,” Hypponen told VentureBeat in an email. “For example, if you follow a link that you think should take you to your bank’s website but the Flag shows the site is hosted in Uganda, you should probably close the tab.”

Organize your accounts and passwords

This is going to be the most painful resolution: knowing where all your accounts are online. You’ve likely set up an account for nearly every website you frequent nowadays. There’s the obvious ones like Facebook and Gmail, but how about your favorite retailers, Amazon, Groupon, Gilt, your local newspaper, your blogging platform? The list goes on.

It’s important to know where you accounts are because it’s important to know all the avenues a hacker may take to get your information. Look at Wired reporter Honan. Earlier in 2012, Honan’s iPhone, iPad, and Mac were all wiped after a hacker got into his Amazon account. The information there gave the hacker enough information to answer Apple’s security questions and access Honan’s iCloud account. There the hacker held the keys to Honan’s digital kingdom. Cyber-criminals often use a daisy chain to hop from one app to the next until they get to their trophy.

Start with your Gmail inbox and write a list of every website that sends you spam email, you’ve probably got an account on each one.

Once you know where all your accounts are, you should divvy them up into different password categories. At the beginning of my career Dave Marcus, a director at McAfee Labs, suggested the tier system to me. Put your most valuable accounts at the top with unique passwords for each. This should include your bank account, Gmail, and Facebook.

The second tier should have one, difficult password for all your semi-important accounts, and the last tier should have one easy password for all the accounts you could probably get rid of anyway.

Right now people are saying that passwords are the bane of Internet security. But no one has found the safest, but still consumer-friendly, way to replace them yet (though companies like OneID think they’ve got the right solution). So, until then you’ll just have to use easy to remember, but difficult to crack passwords such as passphrases. (Think of three random words that mean something to you and put them together, like “dogpeppermintsport,” and you’ll have a workable passphrase.)

There are tools to keep track of your passwords too, such as One Password and LastPass, but keep in mind that by using them, you’re putting all your eggs into one basket. While these services might help you remember your passwords, they are themselves protected by — what else — a single password. Eventually everything breaks, so be prepared.

Hacked image via Shutterstock

Identity is one of the biggest problems on the internet right now. Not only do people not know where all their accounts are across the web, they often store the passwords to those accounts in files, emails, or on paper.

Companies like Ping Identity, Okta, and others are coming out of the woodwork to try and solve this issue of identity, particularly for enterprises that often have employees signing into a number of different applications throughout the day. Those companies don’t want login credentials — the gateway to their data — just lying around. And they often want to be able to manage and shut off access to certain accounts when needed.

Passwords are now getting the brunt of the blame for weak login security. VentureBeat chatted with Ping Identity’s chief executive Andre Durand to talk about the biggest needs in identity, if the passwords needs to finally kick the bucket, and what companies can do to manage employee accounts. Durand has three steps to a more secure online identity:

1. Companies need to separate “identities” from applications
2. Companies need to get rid of passwords all together
3. Companies need to focus on and enforce their own standards, or policies

Check out the video for more:

Video via livex.tv

A programmer found nearly 100,000 unprotected usernames and passwords on the Institute of Electrical and Electronics Engineers’ servers, according to his analysis released today. The IEEE is now working to clean up the mess.

The IEEE is a well-known organization for technologists and has over 400,000 members. On September 18, Romanian programmer Radu Dragusin discovered unencrypted IEEE login credentials left publicly available on its FTP server. He says he found “99,979 unique usernames” and passwords. The servers also showed all of the members’ activities on the website and may have remained unprotected for at least a month.

“IEEE has become aware of an incident regarding inadvertent access to unencrypted log files containing user IDs and passwords. We have conducted a thorough investigation and the issue has been addressed and resolved. We are in the process of notifying those who may have been affected,” the organization told VentureBeat in an email. “IEEE takes safeguarding the private information of our members and customers very seriously. We regret the occurrence of this incident and any inconvenience it may have caused.”

Dragusin says he has no intention of releasing the data, though he suspects others already have their hands on it.

As Ars Technica points out, while this is an embarrassment for the IEEE, what might be more embarrassing are the kinds of passwords being used by the members. Among the 99,979 usernames and passwords he found, 271 people used the password “123456,” followed by “ieee2012,” “12345678,” 123456789,” and “password.”

No, really.

In his analysis, Dragusin notes that a number of the users are from famous technology companies such as Apple, Samsung, Google, IBM, and even NASA.

He also obtained a copy of the notification letter the IEEE sent out to infected members. It says “this matter has been addressed and resolved,” and assures users that no financial information was exposed. The organization also urged members to create a strong password, and included instructions on how to do so.

hat tip Ars Technica; images from Radu Dragusin

If you forget your Apple iCloud password, don’t expect to hop on the phone to change it. Apple announced today that for the time being, it will no longer change passwords over the phone, according to The New York Times.

The move comes after a hacker tricked an Apple customer service representative into handing a hacker the keys to Wired reporter Mat Honan’s digital kingdom.

Over the weekend, the hacker, aka Phobia, gamed Amazon customer service, who gave him access to Honan’s account. The information Phobia found there provided him enough information to trick Apple and get into Honan’s iCloud account. From there, Phobia deleted Honan’s Gmail account, wiped his iPhone, iPad, Mac, and spammed his and Gizmodo’s Twitter accounts (Honan had linked the two accounts previously).

Apple spokesperson Natalie Kerris said this in a statement:

“We’ve temporarily suspended the capability to reset AppleID passwords over the phone. We’re asking customers who need to reset their password to continue to use our online iForgot system (iforgot.apple.com). This system can reset a password in one of two ways – either have a password reset sent to an alternate e-mail address already on record or challenge the customer to answer security questions they had previously set up. When we resume over the phone password resets, customers will be required to provide even stronger identify verification to reset their password.”

At the time, all you needed to retrieve an Apple password was the person’s e-mail address, billing address, and the last four digits of a credit card on file. These pieces of information are easily uncovered with a little digging. Phobia snagged the last four digits of Honan’s credit card after breaking into his Amazon account, which was fairly easy as well.

Phobia accessed Honan’s Amazon account by providing an account holder’s name, e-mail address, and billing address (that last of which Phobia found after doing a “WhoIs” lookup on one of Honan’s websites) to a customer service representative. Once approved, Phobia added a new credit card number to the account, which was later used as “identifying information” to trick a second Amazon representative into letting Phobia into the account. The four-digit credit card number used to trick Apple was listed inside the account.

Yesterday, Amazon quietly told customer service that it was no longer allowed to change account information, such as adding a credit card number or e-mail address, over the phone.

via The New York Times; Image via gflinch/Flickr

Former Gizmodo staffer Mat Honan’s iCloud account was compromised over the weekend, which led to both his Twitter account and Gizmodo’s official Twitter account getting hacked.

Honan’s iCloud account gave the hacker access to the Find My Phone feature, thus allowing them to remotely wipe all the data on his iPhone, iPad, and worst of all, his Mac. Honan’s Gmail account was also deleted in the process, and he’s been locked out of other services, including his phone, which he linked with Google Voice through Sprint.

Initially, Honan thought the hacker broke into his account using brute force, despite a seven character alpha-numeric password that he felt was pretty secure. Apparently, this wasn’t the case.

“I know how it was done now. Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions,” Honan wrote via his Tumblr page. “Apple has my Macbook and is trying to recover the data. I’m back in all my accounts that I know I was locked out of. Still trying to figure out where else they were.”

Two-factor authentication, which requires confirmation via both an email message and usually a text message, would have probably prevented the hacker from deleting Honan’s Gmail account and kept people off the Twitter accounts, he said. Unfortunately, Honan didn’t have the two-factor authentication turned on. So, if there’s a moral to this story, it’s that you should go enable two-factor authentication whenever possible. (Do it now!)

This still doesn’t fix the problem of fooling the Apple Care technician over the phone. The computer giant needs to step up its security for verifying user accounts if it plans on seriously taking on the likes of Google, Yahoo, and Microsoft with its iCloud service — not to mention the growing number of cloud-based storage services like Dropbox and Box.net.

Hacked password image via Raywoo/Shutterstock

July 9-10, 2013
San Francisco, CA

Tickets On Sale Now

It seems Apple will no longer require you to put in a password when downloading free apps in its latest mobile operating system, iOS 6.

Cult of Mac noticed the change today, a week after Apple released the latest version of iOS 6 to developers for bug testing. The blog also notes that Apple has been loosening up on other areas where passwords once provided a boundary. In iOS 6 you will no longer have to enter a password to download apps (paid or free) that have previously been downloaded, or for updates to those apps.

The practice of entering a password to download a free application seems unnecessary. Entering your password generally signals the act of giving the App Store permission to access your payment information. But it does keep kids from downloading tons of apps to their parents’ phones. Apple is undoubtedly, however, catering to those responsible downloaders who appreciate the extra ease of getting desired content.

It’s Apple ability to make downloading such a simple process that makes iOS users so valuable to developers. Many praise Apple for the one-click check-out, saying it helps with in-app purchase sales.

When the latest iOS 6 build, which includes this latest development, was originally released, the most obvious changes were to Apple’s new maps application. New features included the ability to switch between miles and kilometers, traffic and construction alerts, more 3D-imaging, and the ability to control the GPS voice navigator volume and the language in which directions are dictated.

Developers also noticed “answer” and “decline” buttons for FaceTime calls. Those with a developer account will be able to see these news features in Build 10A5355d. Developer accounts are sold by Apple for $99 an account.

via Cult of Mac; Image via Meghan Kelly/VentureBeat

July 9-10, 2013
San Francisco, CA

Tickets On Sale Now

Not content with just the automotive industry, Ford may be moving into the password storage business.

According to a promotional video created by French ad company Ogilvy Paris (spotted by Fast Co Design earlier today), Ford is working on a way for users to more easily log in to websites like Facebook and Twitter.

The functionality comes from KeyFree Login, an app that allows users to log in simply by placing their phones next to their computers. Working via Bluetooth, the extension detects when a paired device is nearby and automatically logs users in to their accounts.  You can get a better idea of how it works in the video below.

The app’s goal appears to be to promote the capabilities of Ford’s KeyFree technology, which allows car owners to unlock their vehicles just by walking towards them.

I’m not sure what’s more surprising — that this technology is coming from Ford, or that Google and Apple haven’t yet tried something similar. The reason for that may lie in security. After all, with the app, users are just one unattended phone away from having more than a few of their accounts compromised.

Either way, as nice as the app is, there are still a lot of unanswered questions about it. Is it a Google Chrome extension or a standalone OSX application? Why hasn’t it appeared on Ford’s France website or in the Google Chrome Store? Will it ever see the light of day outside of France?   We’ve contacted Ford to find out the answers to these questions and will update when the company responds.

Design is determining the winners in everything mobile. The most successful players are focusing on one thing: How to make products, services, and devices as compelling and delightful as possible – visually, and experientially. MobileBeat 2012, July 10-11 in San Francisco , is assembling the most elite minds to debate how UI/UX is transforming every aspect of the mobile economy, and where the opportunities lie. Register here.

LinkedIn is being sued for a password hack that resulted in millions of passwords being stolen from the business social network and appearing on a Russian forum.

The class action lawsuit comes from a premium (or paying) LinkedIn user Katie Szpryka, who says LinkedIn didn’t do enough to “properly safeguard its users’ digitally stored and personally identifiable information, including e-mail addresses, passwords, and login credentials.” She claims that the company failed to use Industry Standard Protocols to protect the information and wants over $5 million in return. Indeed, LinkedIn has been criticized for the way it handled the breach, with some customers unhappy that a notice was not immediately distributed.

Early in June, 6.5 million encrypted passwords were found on a Russian website, some of which were rumored to be from LinkedIn. Because the passwords were hashed, security researchers had to unlock the passwords and test them against LinkedIn accounts. After finding multiple matches, the company came forth and confirmed that LinkedIn was compromised and that all account holders should change their passwords immediately.

Following the confirmation, a number of spoofed LinkedIn e-mails showed up. A spoofed e-mail is an e-mail that looks like it is coming from a credible source, often using the same e-mail templates, to trick the user into giving up personal information. In this case, some of the e-mails asked users to update their LinkedIn account information. Links within these e-mails also took users to websites selling Viagra and related products.

Check out the lawsuit below:

hat tip GigaOm, via Courthouse New Service ; Justice scales via Shutterstock

Professional social network LinkedIn wants you to know that its taking the recent password security breach to heart — despite lacking greater measures to prevent such hacks and a chief information security officer charged with keeping track of privacy flaws.

The company is taking a lot of heat after hackers divulged 6.5 million user passwords and uploaded them to a Russian forum for help encrypting them. The security breach is due to an exploit with the way LinkedIn’s mobile app handles a user’s calendar data, as VentureBeat previously reported. LinkedIn later confirmed the breech, and advised its users on what steps to take to ensure their information was secure.

In a blog post reaffirming its commitment to security yesterday, LinkedIn claimed that it has no evidence of any accounts being compromised as a result of the security breach.

Despite this, LinkedIn members aren’t ready to forgive and forget. Some users are complaining that LinkedIn didn’t act quickly enough in contacting them about the password leak, while security experts are pointing out that the company could have added an extra layer of password security known as “salting.” There’s also the matter of the social network not having a executive-level officer to manage security and privacy.

In the blog post, LinkedIn Director of Engineering Vicente Silveira wrote:

“We take this criminal activity very seriously so we are working closely with the FBI as they aggressively pursue the perpetrators of this crime. As you may have heard, there have been reports of other websites that have suffered similar thefts. We want to be as transparent as possible while at the same time preserving the security of our members without jeopardizing the ongoing investigation.”

As far as leaked user data is concerned, probably the worst candidate this could happen to is LinkedIn — which contains plenty of personal contact information and linked relationships between business associates across the globe. That could have the potential to wreck business deals and end professional careers. It’s good that the company is being proactive with messages on its blog, but it’ll have to do better than that if it wants to regain the trust of its users.

First LinkedIn’s passwords were was hacked, then eHarmony’s. Today we found out passwords from Last.fm’s may also have been stolen.

Odds are pretty good there are more compromised site that we just don’t know about yet. So guess what it’s a good time to do?

CHANGE ALL THE PASSWORDS!

We strongly recommend coming up with a new set of passwords for the key services you use. Of course, it’s impossible to go to every site you have ever set up an account on, but it would be worth your time to change passwords on any site that has important personal or financial information on you.

Here are some tips to keep your passwords safe:

• If you get an email from any services asking your to update your information, DO NOT CLICK on the link the in the email. Odds are pretty high it’s spoofed.

• Do not use the same password for everything. I have one password for throwaway accounts, one for sites that don’t have much information on me, one for those that have a bit of info, and unique passwords for each account that has a high level of information, like my bank account.

• Do not use “password,” “12345,” or any other easily guessable words.  If you have to use one word so you can remember it, choose a word that does not mean anything to anyone except you. Try misspelling it and adding numbers. For example, I have passwords that are from other languages but spelled incorrectly (as well as a few other memes).

• If you’re feeling advanced, you can try this trick: Think of the first line of a song you like, take the first letter of each word in that line, then put them together. Swap out some of the letters for numbers if you can and maybe add a symbol or two.

• DO it now. I know it’s a pain, but better safe then sorry. And again DO NOT CLICK on anything from an email. Only go to the site directly in a new tab or window.

To make your life easier in the future, keep a list of every site you create a login for. That way, when it’s time to do a clean sweep, you know exactly where to go.

This post originally appeared in PeriVisioN

July 9-10, 2013
San Francisco, CA

Tickets On Sale Now

Music service Last.fm believes user passwords may have been compromised along with yesterday’s LinkedIn leak. The company is encouraging everyone to change their passwords immediately.

“We are currently investigating the leak of some Last.fm user passwords. This follows recent password leaks on other sites, as well as information posted online,” said Last.fm in a blog post this morning.

On Wednesday a huge number of passwords, 6.5 million, turned up on a Russian forum. The passwords were believed to be from LinkedIn accounts, but were hashed and needed to be unencrypted by security researchers. Soon after the researchers were called in, LinkedIn released a blog post confirming that a number of these passwords belonged to accounts on the business social network.

The Last.fm crew says that its own passwords may have been swiped up in the same leak, and will be updating users through its Twitter handle @lastfm while the investigation is ongoing. The company has not yet confirmed that accounts have been compromised, but still encourages users to change passwords now.

Last.fm also promises that it will “never email you a direct link to update your settings or ask for your password.” Important to note, as a number of spoofed LinkedIn e-mails were sent to members asking them to update their accounts. These e-mails look like they come from LinkedIn, but are actually phishing for personal or financial information. ESET security research Cameron Camp confirmed that some of the links in these e-mails actually directed users to websites selling Viagra.

If you have not yet changed your LinkedIn or Last.fm passwords, now is a good time to do it. Often people use the same password for many different online services because it’s easier to remember. But if your LinkedIn password is the same as your Bank of America password, you can see how that would be an issue.

Piano image via Shutterstock

Criminals have already started taking advantage of millions of stolen LinkedIn passwords that were uncovered today. Spoofed emails are being sent to LinkedIn users, phishing for personal information and redirecting traffic to Viagra-selling websites.

This morning 6.5 million passwords were apparently leaked from the business social network. The passwords were hashed, not plain text, and uploaded to a Russian website this morning. Researchers quickly looked into whether the passwords were legitimate, and LinkedIn later confirmed they were. The company released a blog post saying, “we can confirm that some of the passwords that were compromised correspond to LinkedIn accounts.”

Any LinkedIn user who has not yet changed their password should do so immediately.

But be careful not to do so through an email prompt. Eset security researcher Cameron Camp explained in a blog post today that a number of LinkedIn users have been receiving emails from the social network asking them to confirm account information. Camp has found these to be false emails, spoofed by cyber criminals to look like legitimate notifications from LinkedIn. Indeed, the first link in one of these spoofed emails will take you to a website selling Viagra.

These types of spoofed emails are unique to today’s incident, but there’s a chance that criminals could take this opportunity to attempt to phish personal information out of unsuspecting LinkedIn users.

hat tip The New York Times; Phishing image via Shutterstock

It’s been a tough morning for the professional network LinkedIn when it comes to security. A hacker has stolen and published around 6.5 million hashed passwords from the company, following security revelations regarding the way LinkedIn’s mobile app handles your calendar data.

A Russian hacker uploaded the hashed passwords (meaning they’re protected and not just plain text) to a forum this morning, requesting help to get them deciphyered. Several security researchers say the leak is likely legitimate, including researcher Per Thorsheim.

Update: LinkedIn has confirmed that some passwords were compromised.

The big takeaway for now: change your LinkedIn password ASAP. If your password is decently sophisticated, the hackers likely won’t be able to unencrypt it, but as always it’s better to be safe about these things. It’s also unclear if the hackers got hold of LinkedIn usernames, which would make it easier for them get into accounts.

Earlier this morning, the Next Web reported that LinkedIn’s calendar feature in its mobile apps transmits data back to the company. LinkedIn shot back with a response quickly, saying that the feature is completely opt-in (though it’s a bit unclear what gets transmitted when you agree to it), and the data is sent over a secure SSL connection (TNW claimed the information was sent over unsecured plain text).

According to LinkedIn’s mobile app head Joff Redfern:

In order to provide our calendar service to those who choose to use it, we need to send information about your calendar events to our servers so we can match people with LinkedIn profiles. That information is sent securely over SSL and we never share or store your calendar information.

In an effort to make that algorithm for matching people with profiles increasingly smarter we pull the complete calendar event, including email addresses of people you are meeting with, meeting subject, location and meeting notes.

To make amends, Redfern says that LinkedIn will no longer collect information stored in the “Meeting Notes” portion of your calendar entries. The company has already updated its Android app, and Redfern says that it has submitted a change to Apple for its iOS app.

We’ve covered extensively how many mobile apps used to take advantage of your address book data, including Path and Instagram (most of which have been updated by now). Considering that the LinkedIn calendar feature was initially opt-in and gathered data that wasn’t very sensitive, I don’t think it was as big of a security risk as other apps to make headlines.

Via The Next Web; Photo via Nan Palmero/Flickr

Design is determining the winners in everything mobile. The most successful players are focusing on one thing: How to make products, services, and devices as compelling and delightful as possible – visually, and experientially. MobileBeat 2012, July 10-11 in San Francisco , is assembling the most elite minds to debate how UI/UX is transforming every aspect of the mobile economy, and where the opportunities lie. Register here.

The largest-ever study on user-selected password security shows that no matter how old you are or what language you speak, your password probably sucks.

The study, conducted by Joseph Bonneau at the University of Cambridge, analyzed the password strength of about 70 million Yahoo users. While the data was protected with hashing and Bonneau was unable to see individual account info, he was still able to measure relative strength of passwords across various demographics like age, gender, and nationality.

“We find surprisingly little variation in guessing difficulty; every identifiable group of users generated a comparably weak password distribution,” Bonneau wrote.

What’s also funny in the study is that when users are prompted to give a debit or credit card number, that had no effect on whether the password associated with the card would be stronger. People with cards associated with their accounts avoid extremely weak passwords like “1234,” but they don’t do much beyond that. We’re sure hackers love that data point.

Another fascinating bit is that no matter what language you speak, your password is almost always weaker than security experts suggest.

“More surprisingly, even seemingly distant language communities choose the same weak passwords and an attacker never gains more than a factor of 2 efficiency gain by switching from the globally optimal dictionary to a population-specific lists,” Bonneau wrote.

The study indicates that the people who have the strongest passwords are also in the same category as folks who change their passwords occasionally. Most people simply keep the same password associated with an account for years, significantly increasing the likelihood of the account being hacked.

Bonneau suggests people chose a randomly selected number at least nine digits long because it will be easy enough to remember like a phone number and still provide a an above-average level of security. He also says that businesses that make people create passwords should make users pick tougher passcodes. “A stricter password selection policy might produce distributions with significantly higher resistance to guessing,” Bonneau wrote.

All this talk of passwords and security is admittedly making me a bit nervous. I’m going to change some passwords today. You should too.

Photo credit: Dino O./Shutterstock

Security company OneID is helping to eliminate one of the weakest links on the internet: the password. The company received $7 million in its first round of funding today, led by Khosla Ventures.

OneID says that to make accounts more secure, we need to change the way we think of our identities online. Currently, most people use “shared secrets” to verify their identity. That is, you choose a username and a password that only you and the website where your account lives know. That combination becomes your identity on the internet, allowing you access wherever you set up accounts. But passwords are very easy to crack, particularly because people create passwords they can easily remember, and often use one password for many different accounts.

Instead of using passwords, OneID founder Steve Kirsch believes we need to use “public key cryptography”. Kirsch explained public key cryptography to VentureBeat as, “I can prove to you that I know a secret without telling you the secret.”

Kirsch’s OneID works by downloading “cryptographic secrets” to your devices. These secrets then create digital signatures that the website you want to access reads. The website never gets hold of your cryptographic secrets, as it is only reading the digital signatures. When you use the “shared secret” or password method, you’re trusting the website not to accidentally blab your secret if it’s hacked. In the case of public keys, your secret is never shared and thus can’t be accessed if a website’s server is hacked.

It could, however, be stolen if a criminal gets access to your device, malware infiltrates the device, or the secrets are phished out of you.

It works similarly to Facebook Connect in that the website you want to access must support OneID logins, and you must have a OneID identity. But why not just use Facebook Connect? Many websites do, as it is touted as a secure verification option, given Facebook has its own security team to watch these points of entry. But OneID founder Steve Kirsch says even these aren’t safe enough. There’s still a username and password involved, and even further, Kirsch says, “you shouldn’t be trusting Facebook with anything.”

According to Kirsch, not even OneID knows the cryptographic secrets that it downloads to your device, whereas Facebook knows your password and could be hacked.

The company was founded in 2011 and has brought on PGP co-founder and Khosla Ventures entrepreneur in residence Alex Doll as chief executive officer. Investors include Khosla Ventures, and North Bridge Venture Partners.

Cryptex image via Shutterstock