PasswordsCon

@[email protected]
653 Followers
33 Following
129 Posts
Low volume account specifically for PasswordsCon: announcements, events, talks etc. Following a small set of past speakers & a few others.
Account run by https://mastodon.social/@thorsheim
PasswordsConJun 3
Dan GoodinJun 3

There's so much I don't understand in Dashlane's disclosure that an attack on its user accounts resulted in the threat actor obtaining 20 encrypted vaults.

https://support.dashlane.com/hc/en-us/articles/36038764990866-Security-advisory-Brute-force-attack-on-Dashlane-user-accounts?7194ef805fa2d04b0f7e8c9521f97343

What does it mean to brute force 2fa? Are we talking about TOTPs? That doesn't make sense because TOTPs change every 30-90 seconds, so there's no way for an attacker to meaningfully exhaust key space before it resets all over -- unless the attacker has the ability to pump all 7,700 combinations in <90 seconds, and DL doesn't have any sort of rate limiting.

Also, if the attacker is brute forcing 2fa, doesn't that by necessity mean the attacker already defeated the first factor? How did that occur?

I don't know if my confusion is the result of me not knowing the how the Dashlane product works or if it's just Dashlane being opaque.

Can anyone help me read the tea leaves?

Security advisory: Brute force attack on Dashlane user accounts

Published on Monday, June 1, 2026Update added on Thursday, June 4, 2026, noting completion of the incident investigation with confirmation of no additional impact to Dashlane customers or systems. ...

Dashlane
PasswordsConJun 3
Per ThorsheimJun 3

Protip: add your name, address, alternative phone number & email to the lockscreen of your phone!

In case you forget it somewhere, it will be so much easier for others to return the phone to you.

PasswordsConJun 1
Per ThorsheimJun 1

Dette er en oppgave som jeg fant opp i 2012, og som jeg har testet på mange ulike grupper mennesker i ulike aldre, med ulike morsmål og fra mange ulike land.

Jeg har en egen video som forklarer meningen med oppgaven, men jeg synes du skal teste deg litt før du får se den. :)

https://youtu.be/p5nTyjYtcK0

Babyelefanter elsker utendørs leketid - en liten utfordring til deg!

YouTube
PasswordsConMay 28
Per ThorsheimMay 28

Jeg har laget en video som forklarer hva "SMS Blaster" angrep er, hvilken risiko det innebærer og hva du kan gjøre for å beskytte deg mot dette.

https://youtu.be/NmGDCMGgUiY

Hva er "SMS Blaster" angrep?

YouTube
PasswordsConMay 7
Per ThorsheimMay 7

Happy World Password Day!

https://youtu.be/XzeahH8_gOw?si=YNbX4d86wFRwfjGk

Celebrating World Password Day 2026!

YouTube
PasswordsConFeb 25
Per ThorsheimFeb 25

Data Protection Agencies should have good security, right?

I've scanned almost 160 DPAs around the world using the Dutch Internet Standards Platform @internet_nl to check web, dns and email security.

The results are in, and you won't like them.

https://www.linkedin.com/pulse/data-protection-agencies-dpa-should-have-good-right-per-thorsheim-ecbwe/

Data Protection Agencies (DPA) should have good security, right?

But they don't, and that's not just my personal opinion, but the result of scanning almost 160 DPAs around the world using the excellent free service of Dutch Internet Standards Platform (Internet.nl), checking their web, dns and email security.

PasswordsConFeb 20
Per ThorsheimFeb 19

Lawyers using free mail services like Hotmail, Gmail & iCloud?
Oh yes!

Security, privacy & lawyers legal obligation to confidentiality?
Good question!

I've written about lawyers in Norway using such services, and my own personal recommendations about it.

https://www.linkedin.com/pulse/lawyers-using-free-email-services-per-thorsheim-4fkee/

Lawyers Using Free Email Services

I have previously written a couple of articles about email security at law firms in Norway & Denmark. I have also written about email security at Apple iCloud, labor unions in Norway, the Norwegian National Security Authority (NSM), the Norwegian Data Protection Authority (Datatilsynet), and the dec

PasswordsConDec 31
Per ThorsheimDec 31

And here we are again.

I predict that people who predict the death of passwords in 2026 will be wrong in their predictions.

My annual X/Twitter thread on this started in 2015: https://x.com/thorsheim/status/1741460079130317311

Per Thorsheim (@thorsheim) on X

Time to repeat myself: I predict that people who predict the death of passwords in 2024 will be wrong in their predictions. Here’s my annual thread on this back to 2015.

X (formerly Twitter)
PasswordsConDec 9, 2025
Per ThorsheimDec 9, 2025

Maximilian Golla @m33x presenting "Measuring the Risk Password Reuse Poses for a University" at #PasswordsCon in Prague, December 2, 2025.

https://youtu.be/6dEQRwueX98

Maximilian Golla - Measuring the Risk Password Reuse Poses for a University

YouTube
PasswordsConDec 9, 2025
Per ThorsheimDec 9, 2025

Michal Špaček @spazef0rze presenting his talk "Password Reuse Is a Dumpster Fire – We Brought a Hose" at #PasswordsCon in Prague, December 2, 2025.

https://www.youtube.com/watch?v=AuCNgoDf-5c

Michal Špaček: Password Reuse Is a Dumpster Fire – We Brought a Hose

YouTube