Palo Alto’s crosswalk signals were hacked last year. Turns out the city never changed the default passwords.

Look at this: McDonald’s chose the password “123456” for a major corporate system.

They’re interesting: > Tracked as CVE-2025-5054 and CVE-2025-4598, both vulnerabilities are race > condition bugs that could enable a local attacker to obtain access to access > sensitive information. Tools like Apport and systemd-coredump are designed to > handle crash reporting and core dumps in Linux systems. > > […] > > “This means that if a local attacker manages to induce a crash in a privileged > process and quickly replaces it with another one with the same process ID that > resides inside a mount and pid namespace, apport will attempt to forward the > core dump (which might contain sensitive information belonging to the > original, privileged process) into the namespace.”...

It was created in 1973 by Peter Kirstein: > So from the beginning I put password protection on my gateway. This had been > done in such a way that even if UK users telephoned directly into the > communications computer provided by Darpa in UCL, they would require a > password. > > In fact this was the first password on Arpanet. It proved invaluable in > satisfying authorities on both sides of the Atlantic for the 15 years I ran > the service ­ during which no security breach occurred over my link. I also > put in place a system of governance that any UK users had to be approved by a > committee which I chaired but which also had UK government and British Post > Office representation...

Stuart Schechter makes some good points on the history of bad password policies: > Morris and Thompson’s work brought much-needed data to highlight a problem > that lots of people suspected was bad, but that had not been studied > scientifically. Their work was a big step forward, if not for two mistakes > that would impede future progress in improving passwords for decades. > > First, was Morris and Thompson’s confidence that their solution, a password > policy, would fix the underlying problem of weak passwords. They incorrectly > assumed that if they prevented the specific categories of weakness that they > had noted, that the result would be something strong. After implementing a > requirement that password have multiple characters sets or more total > characters, they wrote:...

Microsoft is warning Azure cloud users that a Chinese controlled botnet is engaging in “highly evasive” password spraying. Not sure about the “highly evasive” part; the techniques seem basically what you get in a distributed password-guessing attack: > “Any threat actor using the CovertNetwork-1658 infrastructure could conduct > password spraying campaigns at a larger scale and greatly increase the > likelihood of successful credential compromise and initial access to multiple > organizations in a short amount of time,” Microsoft officials wrote. “This > scale, combined with quick operational turnover of compromised credentials > between CovertNetwork-1658 and Chinese threat actors, allows for the potential > of account compromises across multiple sectors and geographic regions.”...