{"id":34911,"date":"2025-11-23T13:35:22","date_gmt":"2025-11-23T21:35:22","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=34911"},"modified":"2025-11-23T13:35:22","modified_gmt":"2025-11-23T21:35:22","slug":"sb-2025-11-23","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2025\/11\/sb-2025-11-23\/","title":{"rendered":"Security Bits \u2014 23 November 2025"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/google\/google-backpedals-on-new-android-developer-registration-rules\/\">Google backpedals on new Android developer registration rules \u2014 www.bleepingcomputer.com\/\u2026<\/a> (Android is not becoming quite as Apple-like after all \u2014 better for Linux geeks, worse for regular folks)<\/li>\n<\/ul>\n<h2>Deep Dive \u2014 that Cloudflare Outage<\/h2>\n<p>There was quite a bit of disruption on the internet for a few hours this week when Cloudflare suffered a system-wide outage on some of its services. Big-name websites were affected, but so were lots of smaller websites like <code>bartbusschots.ie<\/code> and <code>podfeet.com<\/code>. Some people are assuming we Cloudflare users must really be regretting our choice, but I, for one, am absolutely not. If anything, the way the company responded to this incident has strengthened my trust in them and their services.<\/p>\n<p>I think a lot of the criticism comes down to measuring against the wrong yardstick. The question isn\u2019t <em>&#8220;is Cloudflare perfect?&#8221;<\/em>, but <em>&#8220;is Cloudflare better than I could achieve alone?&#8221;<\/em>. When I measure my reliance on the service by that metric, I can give a full-throated <em>\u201dYES!\u201d<\/em> in response!<\/p>\n<p>Cloudflare offer many services, but their three most prominent are:<\/p>\n<ol>\n<li>Authoritative DNS hosting<\/li>\n<li>Website proxying, caching, and protection<\/li>\n<li>Public DNS resolution (<code>1.1.1.1<\/code>)<\/li>\n<\/ol>\n<p>The <code>1.1.1.1<\/code> public DNS resolver was not affected by this outage at all, so we can ignore that for the remainder of this discussion.<\/p>\n<p>When you own your own domain, two or more DNS servers somewhere on the internet need to act as the authoritative source of DNS records for that domain. For your domain to continue to exist on the internet, the control panel powering those servers needs to be secure, and the servers themselves need to be secure and resilient.<\/p>\n<p>A quick DNS query shows that both myself and Allison use Cloudflare&#8217;s authoritative DNS service for our domains:<\/p>\n<pre><code>$ dig +short bartbusschots.ie NS\naaron.ns.cloudflare.com.\nsavanna.ns.cloudflare.com.\n$ dig +short podfeet.com NS\nelmo.ns.cloudflare.com.\npat.ns.cloudflare.com.\n$\n<\/code><\/pre>\n<p>Like the public DNS resolver, this authoritative DNS service didn\u2019t go down either. In fact, I\u2019ve never experienced an outage on this service. You also never hear about Cloudflare security flaws compromising people\u2019s domains or anything like that. The simple fact is that Cloudflare are the authoritative DNS provider for many major websites because they\u2019ve earned a stellar reputation!<\/p>\n<p>That leaves just one other major service \u2014 their website proxy service. This is where this week\u2019s disruption happened.<\/p>\n<p>When you run a website, you need to put the content on a web server somewhere on the internet so browsers can access it. The simplest thing to do is to run your own server, which myself and Allison have done for decades now. Like just about everyone else, we published our websites to the world directly from our servers for years, but today we don&#8217;t. Neither of our websites is accessed directly from the servers powering them; instead, the DNS records for our websites point to Cloudflare IP addresses, adding them as an intermediary between the internet and our websites:<\/p>\n<pre><code>$ dig +short www.bartbusschots.ie\n172.67.198.200\n104.21.13.74\n$ whois 172.67.198.200 | grep 'Organization:'\nOrganization:   Cloudflare, Inc. (CLOUD14)\n$ whois 104.21.13.74 | grep 'Organization:'\nOrganization:   Cloudflare, Inc. (CLOUD14)\n$\n<\/code><\/pre>\n<p>We&#8217;ve clearly complicated things for ourselves by adding this extra layer, so why did we make that choice?<\/p>\n<p>The big reason for me is that the internet is now awash with resource-hogging bots, and only some of them are coded ethically. The ethical ones respect the site owner\u2019s bot policies as expressed in the site\u2019s <code>robots.txt<\/code> file, but the unethical ones don\u2019t. This literally costs us site owners money as our servers get overloaded, forcing us to upgrade to beefier, more expensive servers, or move our sites behind proxy services like Cloudflare\u2019s.<\/p>\n<p>Proxy services Cloudflare\u2019s save server resources in two ways:<\/p>\n<ol>\n<li>They just block the worst of the bots, period!<\/li>\n<li>They cache our server\u2019s responses, so lots of requests get answered by Cloudflare without ever being sent to our servers at all<\/li>\n<\/ol>\n<p>As a bonus extra, Cloudflare also act as a Web Application Firewall (WAF), blocking malicious requests including those matching the most common vulnerabilities catalogued in the <a href=\"https:\/\/owasp.org\/www-project-top-ten\/\">OWASP top 10<\/a>.<\/p>\n<p>Also, if you\u2019re unfortunate enough to be targeted by a denial of service (DOS\/DDOS) attack, Cloudflare is invaluable because their infrastructure can soak up even the biggest attacks and save your site and your server from being blasted off the net!<\/p>\n<p>Finally, if you choose to put in a bit more work and enable enough caching you can actually mask server outages for a while, but that\u2019s a more advanced feature I don\u2019t use with my Bartificer Creations hat on, and not something Allison has invested in for this site either, but lots of organisations use Cloudflare as part of their disaster response (DR) plan.<\/p>\n<p>The bigger your site, the bigger the wins, which explains why John Gruber is also not even slightly tempted to move his <code>daringfireball.net<\/code> site off Cloudflare:<\/p>\n<blockquote><p>\n  <em>&#8220;DF\u2019s overall uptime and the frequency of any sort of performance problems went from good to great when I started relying on Cloudflare as a proxy. Also, in recent years, bot traffic has exploded. (Thanks, AI.) I\u2019m pretty sure my server could handle those bursts of traffic on its own, but I sleep better not having to worry about it, because Cloudflare handles mind-boggling amounts of traffic.&#8221;<\/em> \u2014 <a href=\"https:\/\/daringfireball.net\/linked\/2025\/11\/19\/cloudflare-uptime\">John Gruber \u2014 daringfireball.net\/\u2026<\/a>\n<\/p><\/blockquote>\n<p>So this week, Cloudflare&#8217;s web proxying service went down for a while. That&#8217;s <strong>really rare<\/strong>! The key takeaway is not that Cloudflare are not reliable, it&#8217;s that they&#8217;re so reliable most of us can&#8217;t remember the last time they suffered a global outage like this! (They say their last global outage was in 2019)<\/p>\n<p>Just like no software can possibly be bug-free, no infrastructure can possibly be perfect. What matters is your provider&#8217;s competency relative to their rivals, and their response when things go wrong.<\/p>\n<p>There&#8217;s no one better than Cloudflare at doing what Cloudflare does. They have a stellar reputation, and they&#8217;ve earned that through decades of hard work. Cloudflare get an A+ on relative competence!<\/p>\n<p>Because they&#8217;re so good at what they do, there are very few opportunities to judge Cloudflare by how they respond to problems. This week, we got one of those rare opportunities, so how did they do?<\/p>\n<ol>\n<li>They had regular updates on their status page throughout the outage<\/li>\n<li>Their error screen very clearly showed the problem was on their side, not the client or server ends, so users knew they were not the problem, and site owners knew they didn&#8217;t need to start troubleshooting their stuff.<\/li>\n<li>They got their most critical services back quite quickly, about 90 minutes of downtime for most sites, and everything was back within just a few hours.<\/li>\n<li>They had a <strong>detailed<\/strong> postmortem published within 12 hours that was simply excellent \u2014 <a href=\"https:\/\/blog.cloudflare.com\/18-november-2025-outage\/\">blog.cloudflare.com\/\u2026<\/a>\n<ol>\n<li>It starts with a human-friendly but accurate description of what actually happened<\/li>\n<li>It gives technical people all the detail they could want<\/li>\n<li>It ends with a genuine apology<\/li>\n<li>It was published and signed by the CEO, no book-passing!<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<p>When I say the postmortem started with a human-friendly explanation, I really do mean it, these are the opening few paragraphs:<\/p>\n<blockquote><p>\n  <strong>The issue was not caused, directly or indirectly, by a cyber attack or malicious activity of any kind.<\/strong>\u00a0Instead, it was triggered by a change to one of our database systems&#8217; permissions which caused the database to output multiple entries into a \u201cfeature file\u201d used by our Bot Management system. That feature file, in turn, doubled in size. The larger-than-expected feature file was then propagated to all the machines that make up our network.<\/p>\n<p>  The software running on these machines to route traffic across our network reads this feature file to keep our Bot Management system up to date with ever changing threats. The software had a limit on the size of the feature file that was below its doubled size. That caused the software to fail.<\/p>\n<p>  After we initially wrongly suspected the symptoms we were seeing were caused by a hyper-scale DDoS attack, we correctly identified the core issue and were able to stop the propagation of the larger-than-expected feature file and replace it with an earlier version of the file. Core traffic was largely flowing as normal by 14:30. We worked over the next few hours to mitigate increased load on various parts of our network as traffic rushed back online. As of 17:06 all systems at Cloudflare were functioning as normal.\n<\/p><\/blockquote>\n<p>That&#8217;s followed by this frank and direct apology from the CEO:<\/p>\n<blockquote><p>\n  We are sorry for the impact to our customers and to the Internet in general. Given Cloudflare&#8217;s importance in the Internet ecosystem any outage of any of our systems is unacceptable. That there was a period of time where our network was not able to route traffic is deeply painful to every member of our team. We know we let you down today.\n<\/p><\/blockquote>\n<p>The technical detail is interesting for those into that kind of thing, and surprisingly revealing for such a major provider.<\/p>\n<p>The post ends with the section I was most interested in \u2014 Cloudflare&#8217;s reaction to this outage:<\/p>\n<blockquote><p>\n  Now that our systems are back online and functioning normally, work has already begun on how we will harden them against failures like this in the future. In particular we are:<\/p>\n<ul>\n<li>Hardening ingestion of Cloudflare-generated configuration files in the same way we would for user-generated input <\/li>\n<li>Enabling more global kill switches for features <\/li>\n<li>Eliminating the ability for core dumps or other error reports to overwhelm system resources <\/li>\n<li>Reviewing failure modes for error conditions across all core proxy modules<\/li>\n<\/ul>\n<p>  Today was Cloudflare&#8217;s worst outage\u00a0<a href=\"https:\/\/blog.cloudflare.com\/details-of-the-cloudflare-outage-on-july-2-2019\/\">since 2019<\/a>. We&#8217;ve had outages that have made our\u00a0<a href=\"https:\/\/blog.cloudflare.com\/post-mortem-on-cloudflare-control-plane-and-analytics-outage\/\">dashboard unavailable<\/a>. Some that have caused\u00a0<a href=\"https:\/\/blog.cloudflare.com\/cloudflare-service-outage-june-12-2025\/\">newer features<\/a>\u00a0to not be available for a period of time. But in the last 6+ years we&#8217;ve not had another outage that has caused the majority of core traffic to stop flowing through our network.<\/p>\n<p>  An outage like today is unacceptable. We&#8217;ve architected our systems to be highly resilient to failure to ensure traffic will always continue to flow. When we&#8217;ve had outages in the past it&#8217;s always led to us building new, more resilient systems.\n<\/p><\/blockquote>\n<p>I can\u2019t imagine a better response. Few companies manage to get a response like that together in a week; getting that published in less than 12 hours is astonishing. They get a resounding A+ from me in this metric too!<\/p>\n<p>If every major provider responded this well to an outage, the internet would be a much more reliable place!<\/p>\n<p>Finally, some levity courtesy of Randall\u202fMunroe at XKCD: <a href=\"https:\/\/xkcd.com\/3170\/\">Service Outage \u2014 xkcd.com\/\u2026<\/a><\/p>\n<h3>Links<\/h3>\n<ul>\n<li>Cloudflare&#8217;s full postmortem \u2014 <a href=\"https:\/\/blog.cloudflare.com\/18-november-2025-outage\/\">blog.cloudflare.com\/\u2026<\/a><\/li>\n<li>A good summary of the postmortem and some insightful comments \u2014  <a href=\"https:\/\/daringfireball.net\/linked\/2025\/11\/19\/cloudflare-prince-portmortem\">John Gruber at daringfireball.net\/\u2026<\/a> <\/li>\n<\/ul>\n<h2>\u2757 Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you, there is some action you should take.<\/aside>\n<ul>\n<li><a href=\"https:\/\/isc.sans.edu\/diary\/rss\/32468\">Microsoft Patch Tuesday for November 2025 \u2014 isc.sans.edu\/\u2026<\/a> (Just 80 fixes)\n<ul>\n<li><a href=\"https:\/\/cyberinsider.com\/microsoft-patches-actively-exploited-windows-kernel-zero-day-flaw\/\">Microsoft patches actively exploited Windows kernel zero-day flaw \u2014 cyberinsider.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/cyberinsider.com\/google-fixes-seventh-actively-exploited-chrome-zero-day-of-2025\/\">Google Fixes Seventh Actively Exploited Chrome Zero-Day of 2025 \u2014 cyberinsider.com\/\u2026<\/a><\/li>\n<li>\u26a0\ufe0f <strong>Synology Owners:<\/strong> <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/synology-fixes-beestation-zero-days-demoed-at-pwn2own-ireland\/\">Synology fixes BeeStation zero-days demoed at Pwn2Own Ireland \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>\u26a0\ufe0f <strong>ASUS Router Owners:<\/strong> <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/asus-warns-of-critical-auth-bypass-flaw-in-dsl-series-routers\/\">ASUS warns of critical auth bypass flaw in DSL series routers \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>\u26a0\ufe0f <strong>D-Link Router Owners:<\/strong> <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/d-link-warns-of-new-rce-flaws-in-end-of-life-dir-878-routers\/\">D-Link warns of new RCE flaws in end-of-life DIR-878 routers \u2014 www.bleepingcomputer.com\/\u2026<\/a>\n<ul>\n<li>If you have one of these routers, it&#8217;s time to scrap it!<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li>\ud83e\uddef <a href=\"https:\/\/appleinsider.com\/articles\/25\/11\/21\/public-anxiety-about-apples-digital-id-greatly-overstates-actual-risks\">Public anxiety about Apple&#8217;s Digital ID greatly overstates actual risks \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<li>There is an uptick in scams targeting people whose iPhones have been stolen \u2013 <a href=\"https:\/\/cyberinsider.com\/new-apple-id-scheme-targets-owners-of-stolen-iphone-devices\/\">cyberinsider.com\/\u2026<\/a>\n<ul>\n<li>The attack is impactful because the attackers really do have the victim&#8217;s lost\/stolen phones<\/li>\n<li>The problem is they&#8217;re not trying to help, they&#8217;re trying to trick the victims into releasing the activation lock so they can resell the stolen phone as new<\/li>\n<li>If you&#8217;re unlucky enough to lose your phone, don&#8217;t follow any instructions in any unsolicited messages, and definitely don&#8217;t reply with any codes or passwords or log into any websites you are asked to!<\/li>\n<li>Contact Apple support directly yourself before doing anything!<\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/appleinsider.com\/articles\/25\/11\/19\/an-ingenious-apple-service-hoax-is-convincing-users-their-account-is-under-attack\">An ingenious Apple Service hoax is convincing users their account is under attack \u2014 appleinsider.com\/\u2026<\/a>\n<ul>\n<li>Many of the alerts were genuine Apple alerts because the attackers were trying to use Apple&#8217;s actual account recovery features to take over the victim&#8217;s account<\/li>\n<li>The clever part was how the attackers intermixed scam SMS messages with the legitimate Apple messages (they were triggering the Apple messages so they could control the timings of everything)<\/li>\n<li>The SMS messages from a random Atlanta number and the non-Apple domain name should have been red flags.<\/li>\n<\/ul>\n<\/li>\n<li>Beware cheap Android photo frames \ud83d\ude41 \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/popular-android-based-photo-frames-download-malware-on-boot\/\">www.bleepingcomputer.com\/\u2026<\/a>\n<ul>\n<li>> &#8220;Uhale Android-based digital picture frames come with multiple critical security vulnerabilities and some of them\u00a0download and execute malware at boot time.&#8221;<\/li>\n<li>> &#8220;It is recommended that consumers only buy electronic devices from reputable brands that use official Android images without firmware modifications, Google Play services, and built-in malware protections.&#8221;<\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/cyberinsider.com\/whatsapp-flaw-allowed-researchers-to-scrape-data-of-3-5-billion-users\/\">WhatsApp flaw allowed researchers to scrape data of 3.5 billion users \u2014 cyberinsider.com\/\u2026<\/a>\n<ul>\n<li>> &#8220;the company claimed the exposed data was already public and emphasized that message content remained protected by encryption. Nonetheless, the researchers argue that the ability to generate a global user database, including cryptographic keys, poses substantial risks to user safety, especially in repressive regimes.&#8221;<\/li>\n<li>Real takeaway is that if you make any part of your profile public, it really is public, even if you don\u2019t think of WhatsApp as social messaging<\/li>\n<li>If you <strong>need<\/strong> privacy, use Signal!<\/li>\n<\/ul>\n<\/li>\n<li>Google are starting to train their AI on user email content, and in much of the world, it&#8217;s <strong>opt-out<\/strong>! \u2014 <a href=\"https:\/\/appleinsider.com\/inside\/macos\/tips\/google-wants-to-use-your-emails-to-train-its-ai----heres-how-to-turn-that-off\">appleinsider.com\/\u2026<\/a>\n<ul>\n<li>The US is opt-out<\/li>\n<li>Privacy laws make a real difference, though, because in the EU, Japan, Switzerland, and the UK it&#8217;s opt-in (as it should be everywhere!)<\/li>\n<li>Allison&#8217;s guide (made with <a href=\"https:\/\/folge.me\">Folge<\/a>) to opting out of Google&#8217;s AI training on Gmail and other Google Workspace services \u2013 share with your friends and family: https:\/\/www.podfeet.com\/misc\/gmail-opt-out-ai-training-A.pdf<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>Passkey support continues to grow:\n<ul>\n<li><a href=\"https:\/\/cyberinsider.com\/windows-11-integrates-native-support-for-bitwarden-and-1password\/\">Windows 11 integrates native support for Bitwarden and 1Password \u2014 cyberinsider.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/cyberinsider.com\/bitwarden-brings-passkey-login-support-to-chrome-extension\/\">Bitwarden brings passkey login support to Chrome extension \u2014 cyberinsider.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/cyberinsider.com\/firefox-145-introduces-stronger-user-fingerprinting-protection\/\">Firefox 145 introduces stronger user fingerprinting protection \u2014 cyberinsider.com\/\u2026<\/a> (Makes tracking harder by making each copy of Firefox less unique)<\/li>\n<li><a href=\"https:\/\/cyberinsider.com\/meta-rolls-out-key-transparency-to-strengthen-encryption-on-messenger\/\">Meta rolls out key transparency to strengthen encryption on Messenger \u2014 cyberinsider.com\/\u2026<\/a><\/li>\n<li>\ud83c\uddfa\ud83c\uddf8 <a href=\"https:\/\/cyberinsider.com\/fcc-dismantles-telecom-cybersecurity-rules-despite-espionage-fallout\/\">FCC dismantles telecom cybersecurity rules despite espionage fallout \u2014 cyberinsider.com\/\u2026<\/a> \ud83e\udd2f\n<ul>\n<li>> &#8220;The rollback dismantles the only concrete federal cybersecurity measures enacted after the Salt Typhoon breach, which compromised sensitive communications data across major US telecom networks.&#8221;<\/li>\n<li>> &#8220;The agency will instead rely on a voluntary, industry-led model with no enforceable standards, no certification requirements, and no formal accountability.&#8221;<\/li>\n<\/ul>\n<\/li>\n<li>\ud83c\uddea\ud83c\uddfa <a href=\"https:\/\/cyberinsider.com\/eu-proposes-gdpr-overhaul-redefining-personal-data-and-consent-rules\/\">EU proposes GDPR overhaul redefining personal data and consent rules \u2014 cyberinsider.com\/\u2026<\/a>\n<ul>\n<li>Mostly boring practical stuff to refine the balance between user protection and ease of doing business<\/li>\n<li>The big user-facing change is a complete revamp of the cookie rules \u2014 should add legal weight to something like the Do-not-track HTTP header, and sites will need to honour your cookie banner decisions for six months, so expect fewer banners if these proposals go into effect<\/li>\n<li><a href=\"https:\/\/www.osano.com\/articles\/2026-ccpa-amendments\">2026 CCPA Amendments: New Privacy Rules in California<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Top Tips<\/h2>\n<aside class=\"small-aside\">Tips, tricks, or advice that are likely to be useful to the NosillaCast audience or the family members and friends whose IT they support.<\/aside>\n<ul>\n<li><a href=\"https:\/\/www.cultofmac.com\/how-to\/phone-addiction-how-to-make-iphone-less-addictive\">10 tricks to kick your iPhone addiction \u2014 www.cultofmac.com\/\u2026<\/a>\n<ul>\n<li>I&#8217;ve been doing most of this since COVID, and it&#8217;s really helped my mental health!<\/li>\n<li>The last few are silly and seem to be there just to get to a round number<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Interesting Insights<\/h2>\n<aside class=\"small-aside\">High-quality opinion and editorial content recommended by Bart.<\/aside>\n<ul>\n<li>A great example of why needless backwards compatibility is dangerous: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/decades-old-finger-protocol-abused-in-clickfix-malware-attacks\/\">Decades-old \u2018Finger\u2019 protocol abused in ClickFix malware attacks \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>A great example of secure-by-default languages making everyone safer: <a href=\"https:\/\/thehackernews.com\/2025\/11\/rust-adoption-drives-android-memory.html\">Rust Adoption Drives Android Memory Safety Bugs Below 20% for First Time \u2014 thehackernews.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything upbeat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li>From Allison &#8211; not really a happy story but &#8230;\n<ul>\n<li>Nordpass publishes <a href=\"https:\/\/nordpass.com\/most-common-passwords-list\/\">Top 200 Most Common Passwords: Generations change, password habits remain<\/a> <\/li>\n<li>123456 still takes the top spot<\/li>\n<li>No discernible difference in passwords between 18 and 80-year-olds<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link, it is the title of the page being linked to, when the text describing a link is not part of the link, it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">\ud83c\udfa7<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\u2757<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udcca<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83e\uddef<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> \ud83d\ude42<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udcb5<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udccc<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83c\udfa9<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83c\udfa6<\/td>\n<td align=\"left\">A link to <strong>video content<\/strong>.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. Google backpedals on new Android developer registration rules \u2014 www.bleepingcomputer.com\/\u2026 (Android is not becoming quite as Apple-like after all \u2014 better for Linux geeks, worse for regular folks) Deep Dive \u2014 that Cloudflare Outage [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":28385,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[4807,7689,7685,7686,7687,7688,7692,7691,7690,7693],"class_list":["post-34911","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-apple-security","tag-chrome-zero-day","tag-cloudflare-outage","tag-cybersecurity-news","tag-dns-security","tag-microsoft-patch-tuesday","tag-passkey-adoption","tag-privacy-tips","tag-router-vulnerabilities","tag-tech-podcast"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2023\/05\/Security-Bits-Logo_1040x520.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/34911","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=34911"}],"version-history":[{"count":3,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/34911\/revisions"}],"predecessor-version":[{"id":34914,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/34911\/revisions\/34914"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/28385"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=34911"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=34911"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=34911"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}