Password Of The Day describes itself as a sort-of "Internet Treasure Hunt." Sign up for their list with your phone number, and they'll send you one text message every day with a random username and password. The login credentials themselves are (supposedly) real; they just won't tell you where that particular combination will work. The discovery part is up to you. But if you're lucky, you might land access to a free account on Spotify, or Steam, or Pornhub, or Headspace, or any other sites. Even if it is technically someone else's account. As they explain in an FAQ on the site:

Every day we are releasing one valid username+password combo to a mystery account. It could be Disney+, Creative Cloud, a bank account with $1000 in it - every day is different. So we give you the login info, but it’s up to you to discover what the account is; it’s like having a key, but not knowing what door it opens. Scour the internet, try your login on all the services you can think of. If you successfully log in, the account is yours!

It's not clear where they're getting this data from, or who's paying for it. But if you want to take the gamble — hey, go for it.

MSCHF, the company behind the list, is a pseudo-internet-performance-art-collective founded by ex-Buzzfeed employees that specializes in viral pranks. Sometimes these function as promotional material for other companies; sometimes they just exist, and maybe go viral, or don't. Read the rest

I use a password manager to deal with my hundreds of different passwords, and it's pretty convenient to use on my phone and laptop. But the Fido (fast identification online) Alliance thinks getting access to your online accounts could be even more convenient and secure by replacing passwords with your trusted devices. From 9To5Mac:

For example, if you try to login to a website on your iPhone, you would enter only your username and it would then send an authentication request to one of your other registered devices, such as an Apple Watch. You could simply tap to authorize. Similarly, when accessing a service on your Mac, you would be able to approve it on your iPhone – and so on.

Although this might sound like weaker security, it’s actually secure. Only one of your own trusted devices can make a request for authentication as you, and only a different one of your own trusted devices can approve that request. An attacker wanting to impersonate you would need physical possession of two of your trusted devices, and to be logged in to both. For example, they would need to have your iPhone and its passcode, and your Mac and its password.

While Apple’s system is limited to its own devices, the alliance wants all manufacturers to sign up to this approach, so you’d also be able to authorize a login on an Android smartphone, Android tablet, Chromebook, Windows PC or any other trusted device.

Image: YouTube Read the rest

Inspired by XKCD's classic diceware strip, a programmer named Alice created an open-source algorithm to randomly generate secure passphrases in Welsh. As difficult as it would be for any human or computer to figure out a nonsense phrase like, "correct horse battery staple," it would be even more difficult to guess, "stwffwl batri ceffyl cywir," especially when there are only about 700,000 Welsh speakers to begin with.

While I'm no cryptologist, I did run a few of the passwords through HowSecureIsMyPassword.net and My1Login.net and they seemed to work out all right. According to those sites, it would take 11 quattuordecillion years or 1 trillion trillion trillion years for a computer to crack "DrefnasidRhyd-y-meirchSefydlogiad6*." Similarly, "GlaeruchdyrauGymreigeiddiaiBarcdir0**" would take 429 tredecillion years, or 94 billion trillion trillion years, respectively.

However, as Alice the programmer warns: "It's probably not a good idea to actually use this, since the wordlist is freely available along with the algorithm being used."

So it might not stop a really clever hacker from getting into your email. But it will almost certainly stop a mythic Welsh dragon from stealing your identity. Probably. I'm assuming their claws are pretty clumsy on the keyboard.

Welsh Password Generator [WheresAlice.info]

Image via Lewis Ogden/Flickr (altered)

*Google Translate tells me this means, "The ford of the horses was arranged." I don't know that I trust it—Google Translate is famously sloppy with the grammar of some Celtic languages—but it certainly sounds epic.

**Similarly, this became "Parkland was a Welsh occupation" which sounds like something you would hear on the Breton version of InfoWars. Read the rest

Ars Technica outlines the case for a policy that might sound counter-intuitive at first: not forcing password rotation. Read the rest

40 years ago, antitrust law put strict limits on mergers and acquisitions, but since the Reagan era, these firewalls have been dismantled, and now the biggest companies grow primarily by snapping up nascent competitors and merging with rivals; Google is a poster-child for this, having only ever created two successful products in-house (search and Gmail), with all other growth coming from acquisitions and mergers. Read the rest

No one knows who wrote this Unisyn optical vote-counting machine manual that has appeared in multiple sites served by the California-based vendor, but only because Unisyn won't comment on whether they wrote it. Read the rest

The porn extortion scam works like this: you get an email from a stranger claiming that he hacked your computer and recorded video of you masturbating to pornography, which he'll release unless you send him some cryptocurrency. Read the rest

Earlier this month on Jimmy Kimmel Live, random people on the street were asked to share their main internet password. Amazingly, some did... on camera, no less.

(Viral Viral Videos) Read the rest

Troy Hunt, proprietor of the Have I Been Pwned? service, has made 306,000,000 known-cracked passwords available as a download -- you can grab the set and make sure that yours isn't among them, as these cracked passwords are the ones that are likely being used by hackers when they do brute-force attacks against encrypted password files. Read the rest

An analysis of passwords found in the 2009 breach of Rockyou -- 32 million accounts -- finds a large number of Biblical references ("jesus"," "heaven", "faith", etc), including a number of Bible verse references ("john316"). Read the rest

I-Dressup is a social media site aimed at teen and tween girls, where users play and interact with fashion. Six days ago, Ars Technica's Dan Goodin contacted I-Dressup to tell them that they were leaking more than 5.5 million cleartext passwords, and that a hacker had already downloaded 2.2 million of them. Read the rest

800,000 usernames and passwords from Brazzers, a giant porn site; 98 million passwords from Rambler.ru ("Russia's Yahoo") and, coming soon, the entire user database for VKontakte/VK.com, Russia's answer to Facebook. Read the rest

Gus the hacker puppeteer writes, "Last weekend was the Hackers On Planet Earth conference (where, ICYMI, Cory was the keynote address). I always come away from HOPE wishing there were easier ways to share what I learned there with friends and family. Fortunately, the Internet Society has been streaming and storing videos of HOPE talks for the past two conferences. (My own talk, on getting into the minds of everyday computer users, should be up there eventually.)" Read the rest

Hate passwords? Google does too, and may begin doing away with conventional passwords on Android devices this year. At Google I/O, the company announced the next steps in its plans to begin using a password alternative: "trust scores" that determine your creds based on various data points. Developed by Google's Google's Advanced Technology and Projects group, the Trust API will roll out to "several very large" financial institutions within the next few weeks. Read the rest

It's World Password Day and you can celebrate it by fixing your crappy passwords. Read the rest

Now that 11.7 million Ashley Madison users' passwords been shown to be crackable, we're learning that password security has not improved since the last giant dump of user passwords. Read the rest

In Tell Me Who You Are, and I Will Tell You Your Lock Pattern, Marte Løge presented some of her Master's Thesis research on the guessability of Android lock-patterns -- and guess what? Read the rest