Login
Imagine a day where you didn’t have to juggle passwords.
No more sticky notes. No more notebooks with dozens of passwords scribbled in, crossed out, and scribbled in again. No more forgetting and resetting. No more typing them in all the time.
And even better, imagine secure accounts, likely even more secure than you could keep them on your own.
That’s the power of a password manager in your life.
A password manager does the work of creating strong, unique passwords for each and every one of your accounts. And considering the hundred or so accounts you have, that’s something that would take plenty of time if you did all that work on your own.
In all, a password manager can turn the pain of juggling passwords into a real comfort.
Before we get into how a password manager can make your life easier while making your accounts more secure, let’s look at what makes up a bad password. Here are a few examples:
Obvious passwords: Password-cracking programs start by entering a list of common (and arguably lazy) passwords. These may include the simple “password” or “1234567”. Others include common keyboard paths like “qwerty.” Even longer keyboard paths like “qwertyuiop” are well known to hackers and their tools as well.
Dictionary words: Hacking tools also look for common dictionary words strung together, which helps them crack longer passwords in chunks. The same goes for passwords that contain the name of the app or service in them. These are “no brainer” words found in passwords that make passwords even easier to crack.
Repeated passwords: You may think you have such an unbreakable password that you want to use it for all your accounts. However, this means that if hackers compromise one of your accounts, all your other accounts are vulnerable. This is a favorite tactic of hackers. They’ll target less secure accounts and services and then attempt to re-use those credentials on more secure services like online bank and credit card companies.
Personal information passwords: Passwords that include your birthday, dog’s name, or nickname leave you open to attack. While they’re easy for you to remember, they’re also easy for a hacker to discover—such as with a quick trip to your social media profile, particularly if it is not set to private.
If any of the above sounds familiar, you’ll want to replace any of your bad passwords with strong ones.
We can point to three things that make up a strong password, which makes it difficult to hack.
Your password is:
Long: A longer password is potentially a stronger password when it comes to a “brute force” attack, where a hacker uses an automated trial-and-error system to break it. For example, an eight-character password using uppercase and lowercase letters, numbers, and symbols can get hacked in minutes. Kick it up to 16 characters and it becomes incredibly more difficult to break—provided it doesn’t rely on common words or phrases. McAfee can help you generate a strong password, for stronger security with our random password generator.
Complex: To increase the security of your password, it should have a combination of uppercase letters, lowercase letters, symbols, and numbers like mentioned above.
Unique: Every one of your accounts should have its own password.
Now, apply this to the hundred or so accounts you keep and creating strong passwords for all of them really does call for a lot of work.
Given its ease of use and the big security boost it gives you and all your accounts, the answer is yes.
A password manager does the work of creating strong, unique passwords for your accounts. These will take the form of a string of random numbers, letters, and characters. They won’t be memorable, but the manager does the memorizing for you. You only need to remember a single password to access the tools of your manager.
A strong password manager also stores your passwords securely. Our password manager protects your passwords by scrambling them with AES-256, one of the strongest encryption algorithms available. Only you can decrypt and access your info with the factors you choose. Additionally, our password manager uses multi-factor authentication (MFA), so you’ll be verified by at least two factors before being signed in.
Aside from the comfort of convenience a password manager can give you, it gives you another level of assurance—extra protection in an age of data breaches, because you’ll have unique passwords where one compromise won’t lead to others.
And whether or not you go with a password manager to create those strong and unique passwords, make sure you use MFA on every account that offers it. MFA offers another layer of protection by adding another factor into the login process, such as something you own like a text to your phone or notification to an authentication app. That way if a hacker has your password, they’ll still be locked out of your account because they lack that MFA code.
In some cases, you really don’t need some of your old accounts and the passwords that come along with them. Maybe they’re old and unused. Or maybe they were for a one-time purchase at an online store you won’t visit again. Deleting these accounts is a smart move because they’re yet more places where your personal info is stored—and subject to a data breach.
Our Online Account Cleanup can help, which you can find in all our McAfee+ plans. It scans for accounts in your name, gives you a full list, and shows you which types of accounts might be riskier than others. From there you can decide which ones you want to delete, along with the personal info linked to them. In our McAfee+ Ultimate plans, you get full-service Online Account Cleanup, which sends the data deletion requests for you.
Between this and a password manager, you’ll have one less thing to juggle—your passwords, and one less thing to worry about—if they’re secure from hackers.
The post Why “Strong Passwords” Aren’t Enough Anymore—and What to Do Instead appeared first on McAfee Blog.
Chinese espionage crew Ink Dragon has expanded its snooping activities into European government networks, using compromised servers to create illicit relay nodes for future operations.…
Perhaps it's just the time of year where we all start to wind down a bit, or maybe I'm just tired after another massive 12 months, but this week's vid is way late. Ok, going away to the place that had just been breached (ironic!) didn't help, but I think in general the pace we've maintained this year just needs to come back a bit. That said, I'll try to get this week's and next week's out on time, then it's off on travels for the next four weeks after that. Stay tuned for more IoT problems in a few days from now 🤦♂️
Analytics vendor Mixpanel says it is not the source of data stolen from Pornhub and says the info was last accessed by an employee of the adult site.…
Ad blockers and VPNs are supposed to protect your privacy, but four popular browser extensions have been doing just the opposite. According to research from Koi Security, these pernicious plug-ins have been harvesting the text of chatbot conversations from more than 8 million people and sending them back to the developers.…
A new, modular infostealer called SantaStealer, advertised on Telegram with a basic tier priced at $175 per month, promises to make criminals' Christmas dreams come true. It boasts that it can run "fully undetected" even on systems with the "strictest AntiVirus" and those belonging to governments, financial institutions, and other prime targets.…
Freedom of the Press Foundation is developing Dangerzone, an open-source tool that uses multiple layers of containerization (gVisor, Linux containers) to sanitize untrusted documents. The target users of this tool are people who may be vulnerable to malware attacks, such as journalists and activists. To ensure that Dangerzone is adequately secure, it received a favorable security audit in December 2023, but never had a bug bounty program until now.
We are kick-starting a limited bug bounty program for this holiday season, that challenges the popular adage "containers don't contain". The premise is simple; sent Santa a naughty letter, and its team of elves will run it by Dangerzone. If your letter breaks a containerization layer by capturing a flag, you get the associated bounty. Have fun!
For the past several years I've been trying intermittently to get Cross Translation Unit taint analysis with clang static analyzer working for Firefox. While the efforts _have_ found some impactful bugs, overall the project has burnt out because of too many issues in LLVM we are unable to overcome.
Not everything you do succeeds, and I think it's important to talk about what _doesn't_ succeed just as much (if not more) about what does.
With the help of an LLVM contractor, we've authored this post to talk about our attempts, and some of the issues we'd run into.
I'm optimistic that people will get CTU taint analysis working on projects the size of Firefox, and if you do, well I guess I'll see you in the bounty committee meetings ;)
Hey everyone, I saw this report on Hacker News, about a pretty serious privacy breach involving the Urban VPN Proxy browser extension and several other extensions from the same publisher.
According to the research:
What’s especially concerning is that Urban VPN advertises an “AI protection” feature, but that doesn’t prevent data harvesting - the extension just warns you about sharing data while quietly exfiltrating it.
If you’ve ever used this extension and chatted with an AI, it’s worth uninstalling it and treating those interactions as compromised.
Link to the report:
https://www.koi.ai/blog/urban-vpn-browser-extension-ai-conversations-data-collection
Would love to hear thoughts on this.
Direct navigation — the act of visiting a website by manually typing a domain name in a web browser — has never been riskier: A new study finds the vast majority of “parked” domains — mostly expired or dormant domain names, or common misspellings of popular websites — are now configured to redirect visitors to sites that foist scams and malware.
A lookalike domain to the FBI Internet Crime Complaint Center website, returned a non-threatening parking page (left) whereas a mobile user was instantly directed to deceptive content in October 2025 (right). Image: Infoblox.
When Internet users try to visit expired domain names or accidentally navigate to a lookalike “typosquatting” domain, they are typically brought to a placeholder page at a domain parking company that tries to monetize the wayward traffic by displaying links to a number of third-party websites that have paid to have their links shown.
A decade ago, ending up at one of these parked domains came with a relatively small chance of being redirected to a malicious destination: In 2014, researchers found (PDF) that parked domains redirected users to malicious sites less than five percent of the time — regardless of whether the visitor clicked on any links at the parked page.
But in a series of experiments over the past few months, researchers at the security firm Infoblox say they discovered the situation is now reversed, and that malicious content is by far the norm now for parked websites.
“In large scale experiments, we found that over 90% of the time, visitors to a parked domain would be directed to illegal content, scams, scareware and anti-virus software subscriptions, or malware, as the ‘click’ was sold from the parking company to advertisers, who often resold that traffic to yet another party,” Infoblox researchers wrote in a paper published today.
Infoblox found parked websites are benign if the visitor arrives at the site using a virtual private network (VPN), or else via a non-residential Internet address. For example, Scotiabank.com customers who accidentally mistype the domain as scotaibank[.]com will see a normal parking page if they’re using a VPN, but will be redirected to a site that tries to foist scams, malware or other unwanted content if coming from a residential IP address. Again, this redirect happens just by visiting the misspelled domain with a mobile device or desktop computer that is using a residential IP address.
According to Infoblox, the person or entity that owns scotaibank[.]com has a portfolio of nearly 3,000 lookalike domains, including gmai[.]com, which demonstrably has been configured with its own mail server for accepting incoming email messages. Meaning, if you send an email to a Gmail user and accidentally omit the “l” from “gmail.com,” that missive doesn’t just disappear into the ether or produce a bounce reply: It goes straight to these scammers. The report notices this domain also has been leveraged in multiple recent business email compromise campaigns, using a lure indicating a failed payment with trojan malware attached.
Infoblox found this particular domain holder (betrayed by a common DNS server — torresdns[.]com) has set up typosquatting domains targeting dozens of top Internet destinations, including Craigslist, YouTube, Google, Wikipedia, Netflix, TripAdvisor, Yahoo, eBay, and Microsoft. A defanged list of these typosquatting domains is available here (the dots in the listed domains have been replaced with commas).
David Brunsdon, a threat researcher at Infoblox, said the parked pages send visitors through a chain of redirects, all while profiling the visitor’s system using IP geolocation, device fingerprinting, and cookies to determine where to redirect domain visitors.
“It was often a chain of redirects — one or two domains outside the parking company — before threat arrives,” Brunsdon said. “Each time in the handoff the device is profiled again and again, before being passed off to a malicious domain or else a decoy page like Amazon.com or Alibaba.com if they decide it’s not worth targeting.”
Brunsdon said domain parking services claim the search results they return on parked pages are designed to be relevant to their parked domains, but that almost none of this displayed content was related to the lookalike domain names they tested.
Samples of redirection paths when visiting scotaibank dot com. Each branch includes a series of domains observed, including the color-coded landing page. Image: Infoblox.
Infoblox said a different threat actor who owns domaincntrol[.]com — a domain that differs from GoDaddy’s name servers by a single character — has long taken advantage of typos in DNS configurations to drive users to malicious websites. In recent months, however, Infoblox discovered the malicious redirect only happens when the query for the misconfigured domain comes from a visitor who is using Cloudflare’s DNS resolvers (1.1.1.1), and that all other visitors will get a page that refuses to load.
The researchers found that even variations on well-known government domains are being targeted by malicious ad networks.
“When one of our researchers tried to report a crime to the FBI’s Internet Crime Complaint Center (IC3), they accidentally visited ic3[.]org instead of ic3[.]gov,” the report notes. “Their phone was quickly redirected to a false ‘Drive Subscription Expired’ page. They were lucky to receive a scam; based on what we’ve learnt, they could just as easily receive an information stealer or trojan malware.”
The Infoblox report emphasizes that the malicious activity they tracked is not attributed to any known party, noting that the domain parking or advertising platforms named in the study were not implicated in the malvertising they documented.
However, the report concludes that while the parking companies claim to only work with top advertisers, the traffic to these domains was frequently sold to affiliate networks, who often resold the traffic to the point where the final advertiser had no business relationship with the parking companies.
Infoblox also pointed out that recent policy changes by Google may have inadvertently increased the risk to users from direct search abuse. Brunsdon said Google Adsense previously defaulted to allowing their ads to be placed on parked pages, but that in early 2025 Google implemented a default setting that had their customers opt-out by default on presenting ads on parked domains — requiring the person running the ad to voluntarily go into their settings and turn on parking as a location.
Three very different companies have now confirmed data breaches affecting millions of users – each insisting the damage stopped well short of passwords and payment details.…
New MI6 chief Blaise Metreweli outlined her vision for technology-augmented intelligence gathering in her first public speech on December 15, warning that the UK operates "in a space between peace and war."…
Sponsored Post Managing cybersecurity risk has never been simple, but in today's threat landscape it can also become a source of strength. PwC believes that AI is now central to that transformation, helping organizations not just react faster to attacks, but evolve their defences with greater confidence.…
Music hosting and streaming service SoundCloud has admitted it suffered a cyberattack.…
Posted by Egidio Romano on Dec 15
------------------------------------------------------------------------------Posted by Egidio Romano on Dec 15
-----------------------------------------------------------------------------Posted by Onur Tezcan via Fulldisclosure on Dec 15
[Attack Vectors]Posted by Onur Tezcan via Fulldisclosure on Dec 15
[Attack Vectors]Posted by Onur Tezcan via Fulldisclosure on Dec 15
[Attack Vectors]Posted by Onur Tezcan via Fulldisclosure on Dec 15
[Attack Vectors]Posted by Onur Tezcan via Fulldisclosure on Dec 15
[Attack Vectors]Posted by Yuffie Kisaragi via Fulldisclosure on Dec 15
UPDATE:Posted by Apple Product Security via Fulldisclosure on Dec 15
APPLE-SA-12-12-2025-9 Safari 26.2Posted by Apple Product Security via Fulldisclosure on Dec 15
APPLE-SA-12-12-2025-8 visionOS 26.2Posted by Apple Product Security via Fulldisclosure on Dec 15
APPLE-SA-12-12-2025-7 watchOS 26.2Posted by Apple Product Security via Fulldisclosure on Dec 15
APPLE-SA-12-12-2025-6 tvOS 26.2Posted by Apple Product Security via Fulldisclosure on Dec 15
APPLE-SA-12-12-2025-5 macOS Sonoma 14.8.3Posted by Apple Product Security via Fulldisclosure on Dec 15
APPLE-SA-12-12-2025-4 macOS Sequoia 15.7.3Posted by Apple Product Security via Fulldisclosure on Dec 15
APPLE-SA-12-12-2025-3 macOS Tahoe 26.2
FreshRSS 