Government to roll out passkey technology across digital services as an alternative to SMS-based verification.
Government to roll out passkey technology across digital services as an alternative to SMS-based verification.
Arkadiusz Wargula via Getty Images
Government set to roll out passkey technology across digital services later this year.
SMS-based verification to be replaced by more secure, cost-effective solution.
NCSC joins FIDO Alliance to shape international passkey standards.
The UK government is set to roll out passkey technology for its digital services later this year as an alternative to the current SMS-based verification system, offering a more secure and cost-effective solution that could save several million pounds annually.
Announced on the first day of the government’s flagship cyber security event, CYBERUK, the move to implement passkey technology for the government’s GOV.UK services marks a major step forward in strengthening the nation’s digital security.
Passkeys are unique digital keys that are today tied to specific devices, such as a phone or a laptop, that help users log in safely without needing an additional text message or other code. When a user logs in to a website or app, their device uses this digital key to prove the user’s identity without needing to send a code to a secondary device or to receive user input.
This method is more secure because the key remains stored on the device and cannot be easily intercepted or stolen, making them phishing-resistant by design. As a result, even if someone attempts to steal a password or intercept a code, they would be unable to gain access without the physical device that contains the passkey.
The NCSC considers passkey adoption as vital for transforming cyber resilience at a national scale, and the UK is already leading internationally with the NHS becoming one of the first government organisations in the world to offer passkeys to users.
In addition to enhanced security and cost savings, passkeys offer users a faster login experience, saving approximately one minute per login when compared to entering a username, password, and SMS code.
Today it was discovered that an unknown actor had managed to exploit a vulnerability in Lockbit’s PHPMyAdmin instance (on their console onion site). Apparently they were running PHP 8.1.2 which is vulnerable to an RCE CVE-2024-4577. Which uhh… lol? It probably would have been prudent to do a post-paid penetration test on their own infrastructure at some point.
Further compounding the unfortunate situation, the actor was able to dump their database. This contained, as stated by Bleeping Computer, a number of tables such as bitcoin addresses, data about their build system such as bespoke builds for affiliates, A ‘chats’ table containing negotiation messages, which we’ll go through in a later post. And finally, of interest today, the usernames and passwords of LockBit agents using the console.
Of special importance, making our work markedly easier, these passwords were not hashed. Which sure is a choice, as an organization that performs ransomware attacks.
The vast majority of the passwords in this table as reasonably secure; it’s not solely hilariously weak credentials, but there still are a number that display poor security hygiene.
The weak passwords
Before going into my standard analysis, I’ll list off all of the weak passwords in question, and then we’ll go through the statistics of the whole set. The fun to highlight passwords:
Researchers say the behavior amounts to a persistent backdoor.
rom the department of head scratches comes this counterintuitive news: Microsoft says it has no plans to change a remote login protocol in Windows that allows people to log in to machines using passwords that have been revoked.
Password changes are among the first steps people should take in the event that a password has been leaked or an account has been compromised. People expect that once they've taken this step, none of the devices that relied on the password can be accessed.
The Remote Desktop Protocol—the proprietary mechanism built into Windows for allowing a remote user to log in to and control a machine as if they were directly in front of it—however, will in many cases continue trusting a password even after a user has changed it. Microsoft says the behavior is a design decision to ensure users never get locked out.
Independent security researcher Daniel Wade reported the behavior earlier this month to the Microsoft Security Response Center. In the report, he provided step-by-step instructions for reproducing the behavior. He went on to warn that the design defies nearly universal expectations that once a password has been changed, it can no longer give access to any devices or accounts associated with it.
In iOS 18, Apple spun off its Keychain password management tool—previously only tucked away in Settings—into a standalone app called...
“Passkeys,” the secure authentication mechanism built to replace passwords, are getting more portable and easier for organizations to implement thanks to new initiatives the FIDO Alliance announced on Monday.
Familiar ransomware develops an appetite for passwords to third-party sites
Aqua Nautilus researchers discovered a new variant of Gafgyt targeting machines with weak SSH passwords.
The largest password compilation with nearly ten billion unique passwords was leaked on a popular hacking forum. The Cybernews research team believes the leak poses severe dangers to users prone to reusing passwords.
The king is dead. Long live the king. Cybernews researchers discovered what appears to be the largest password compilation with a staggering 9,948,575,739 unique plaintext passwords. The file with the data, titled rockyou2024.txt, was posted on July 4th by forum user ObamaCare.
TeamViewer says that a recently discovered breach appears to be limited to its internal corporate IT network. The software company has attributed it to a hacking operation associated with Russian intelligence.
Today we loaded 16.5M email addresses and 13.5M unique passwords provided by law enforcement agencies into Have I Been Pwned (HIBP) following botnet takedowns in a campaign they've coined Operation Endgame. That link provides an excellent overview so start there then come back to this blog post which
Microsoft has resolved a security lapse that exposed internal company files and credentials to the open internet.
Security researchers Can Yoleri, Murat Özfidan and Egemen Koçhisarlı with SOCRadar, a cybersecurity company that helps organizations find security weaknesses, discovered an open and public storage server hosted on Microsoft’s Azure cloud service that was storing internal information relating to Microsoft’s Bing search engine.
The Azure storage server housed code, scripts and configuration files containing passwords, keys and credentials used by the Microsoft employees for accessing other internal databases and systems.
A vulnerability has been discovered in the 'util-linux' library that could allow unprivileged users to put arbitrary text on other users' terminals using the 'wall' command.
Three cybersecurity researchers discovered close to 19 million plaintext passwords exposed on the public internet by misconfigured instances of Firebase, a Google platform for hosting databases, cloud computing, and app development.
Roughly 25 million of the passwords have never been seen before by widely used service.
AIOS bills itself as an "all-in-one" security solution. A just-fixed bug undermined that.
Comparing the password strength of 5 hacking forum users that were compromised with info-stealers - Hackforums.net,...
Such credentials in the wrong hands could be dangerous, experts say, potentially allowing physical access to data centers. The affected data center operators say the stolen information didn’t pose risks for customer IT systems.
Bitwarden and other password managers are being targeted in Google ads phishing campaigns to steal users' password vault credentials.
With iOS 16 and macOS Ventura, Apple is introducing passkeys—a more convenient and secure alternative to passwords.
Users often store passwords in third-party software for convenience – but credential gathering techniques can target this behavior.
