The US Could Finally Ban Inane Forced Password Changes

Researchers found a vulnerability in a Kia web portal that allowed them to track millions of cars, unlock doors, honk horns, and even start engines in seconds, just by reading the car’s license plate. The findings are the latest in a string of web bugs that have impacted dozen of carmakers. Meanwhile, a handful of Tesla Cybertrucks have been outfitted for war and are literally being-battle tested by Chechen forces fighting in Ukraine as part of Russia’s ongoing invasion.

As Israel escalates its attacks on Lebanon, civilians on both sides of the conflict have been receiving ominous text messages—and authorities in each country are accusing the other of psychological warfare. The US government has increasingly condemned Russia-backed media outlets like RT for working closely with Russian intelligence—and many digital platforms have removed or banned their content. But they’re still influential and trusted alternative sources of information in many parts of the world.

And there’s more. Each week, we round up the privacy and security news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

A new draft of the US National Institute of Standards and Technology’s “Digital Identity Guidelines” finally takes steps to eliminate reviled password management practices that have been shown to do more harm than good. The recommendations, which will be mandatory for US federal government entities and serve as guidelines for everyone else, ban the practice of requiring users to periodically change their account passwords, often every 90 days.

The policy of regularly changing passwords evolved out of a desire to ensure that people weren’t choosing easily guessable or reused passwords; but in practice, it causes people to choose simple or formulaic passwords so they will be easier to keep track of. The new recommendations also ban “composition rules,” like requiring a certain number or mix of capital letters, numbers, and punctuation marks in each password. NIST writes in the draft that the goal of the Digital Identity Guidelines is to provide “foundational risk management processes and requirements that enable the implementation of secure, private, equitable, and accessible identity systems.”

The US Department of Justice unsealed charges on Friday against three Iranian men who allegedly compromised Donald Trump’s presidential campaign and leaked stolen data to media outlets. Microsoft and Google warned last month that an Iranian state-sponsored hacking group known as APT42 had targeted both the Joe Biden and Donald Trump presidential campaigns, and successfully breached the Trump campaign. The DOJ claims the hackers compromised a dozen people as part of its operation, including a journalist, a human rights advocate, and several former US officials. More broadly, the US government has said in recent weeks that Iran is attempting to interfere in the 2024 election.

“The defendants’ own words made clear that they were attempting to undermine former President Trump’s campaign in advance of the 2024 U.S. presidential election,” Attorney General Merrick Garland said at a press conference on Friday. “We know that Iran is continuing with its brazen efforts to stoke discord, erode confidence in the US electoral process, and advance its malign activities.”

The Irish Data Protection Commission fined Meta €91 million, or roughly $101 million, on Friday for a password storage lapse in 2019 that violated the European Union’s General Data Protection Regulation. Following a report by Krebs on Security, the company acknowledged in March 2019 that a bug in its password management systems had caused hundreds of millions of Facebook, Facebook Lite, and Instagram passwords to be stored without protection in plaintext in an internal platform. Ireland’s privacy watchdog launched its investigation into the incident in April 2019.

“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data,” Irish DPC deputy commissioner Graham Doyle said in a statement. “It must be borne in mind that the passwords, the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts.”

The digital anonymity nonprofit the Tor Project is merging with privacy- and anonymity-focused Linux-based operating system Tails. Pavel Zoneff, the Tor Project’s communications director, wrote in a blog post on Thursday that the move will facilitate collaboration and reduce costs, while expanding both groups’ reach. “Tor and Tails provide essential tools to help people around the world stay safe online,” he wrote. “By joining forces, these two privacy advocates will pool their resources to focus on what matters most: ensuring that activists, journalists, other at-risk and everyday users will have access to improved digital security tools.”