You probably know that KeePass is still my favorite password manager and that I do not save passwords in a browser or cloud-based location. It is a free Windows-based local password manager that does not restrict passwords and can be extend easily thanks to its open system. Other developers have created apps for all kinds of operating systems.
KeePass 2.61 is the latest version that got released earlier today. The new version adds new features and improvements, including several that make the password manager more versatile or secure.
As always, while you can configure KeePass to inform you about updates, you do need to download the new version from the developer website manually, as it does not include automatic update functionality. The new version should upgrade without any issues.
The main improvements of KeePass 2.61
One of the main improvements is update-related. Checks for new updates are now performed before a database is opened. Furthermore, if the master key prompt is opened, it will now also indicate that an update is available with an icon. You can toggle the feature under Options > Advanced.
The built-in one-time password generation capabilities have received several changes:
White-space characters are now automatically removed when pasting shared secrets, if the encoding is Base16/Hex, Base32 or Base64.
New buttons in the one-time password generator to copy the passwords to the clipboard.
The settings dialog supports displaying history entries now.
Other than that, you get improved saving of active databases to local files, multi-location/file synchronization options, and multiple attempts at entering the master key when a database is exported. Previously, users had to re-open the option to try again if the master password was incorrect.
The changelog lists a solid number of improvements next to that, which are mostly minor changes. One of the main changes is that searches are now more tolerant by default in almost any location. You can check the full list on the linked at the top.
Ultimately, KeePass 2.61 doesn’t try to fix what isn’t broken; instead, it polishes the edges of a tool built for those who value total sovereignty over their digital keys.
Google released this month’s big security update for Android. It fixes a total of 129 vulnerabilities, including one that is actively exploited in the wild.
As is the case with these updates, they are not published immediately to all Android devices. Pixel devices do get them first, usually, before other manufacturers start pushing them out. Even then, your device may not receive them for weeks or even months, depending on how the manufacturer handles these updates.
Google describes the most severe of the patched issues in the following way:
The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
The vulnerability affects more than 200 different Qualcomm chips and has the identifier CVE-2026-21385.
Google does not reveal how the vulnerability is exploited in the wild, but it says that it is aware of “limited, targeted exploitation” of the issue. Users should exercise caution on devices without the March 2026 patch update.
You can check the full list of patches here. Check your manufacturer’s support website to find out when your device may be getting the update. Samsung users, for instance, find the full listing on the Samsung Mobile website.
If you can’t come up with a secure password by yourself — and don’t use a password manager for that task (which most should) — then you may have come up with the idea of asking AI to give you a hand in generating secure passwords.
Cybersecurity firm Irregular published research on how that turned out for them during tests, and the result is anything but pretty.
When it asked large language models such as Claude, Gemini or GPT to generate secure passwords, it found “predictable patterns in password characters, repeated passwords, and passwords that are much weaker than they seem”.
While individual 16 character passwords looked strong, the researchers soon discovered that generating passwords multiple times would reveal the weaknesses of the approach.
Take Claude Opus 4.6 for example. When asked to generate 50 passwords, the researchers discovered several noticeable patterns:
Of the 50 passwords, only 30 were unique. One password was repeated 18 times.
All passwords started with a latter, usually uppercase G,, almost always followed by the digit 7.
Character choice was very uneven, with some appearing in nearly all passwords and others rarely.
No repeating passwords in any of the generated passwords.
ChatGPT did not fare much better. It created passwords with strong similarities. Most passwords started with the uppercase letter V, almost half continued with an uppercase Q.
Passwords generated by Gemini showed clear patterns as well. Almost half the passwords started with uppercase K or lowercase k,, usually followed by one of the characters #,, P or 9.
All AIs tested generated predictable passwords, which make it easier for attackers to brute force them. The researchers conclude that “people and coding agents shouild not rely on LLMs to generate passwords”.
Passwords generated through direct LLM output are fundamentally weak, and this is unfixable by prompting or temperature adjustments: LLMs are optimized to produce predictable, plausible outputs, which is incompatible with secure password generation.
Conclusion
Most computer users may want to stick to password managers as the go-to apps when it comes to generating strong passwords. There are free and paid solutions, local and cloud-based, something for every use case out there.
If you have used Google Maps until now without a Google account, then you may have noticed that something is off in the past couple of days.
When I launched Google Maps today in Firefox, I immediately noticed that Google was limiting information. Listings did not include user reviews anymore among other things, and Google displayed a disheartening “You’re seeing a limited view of Google Maps” and “Get the most out of Google Maps. Sign In” message at the bottom of each listing I opened.
It appears that Google is limited access for anonymous users. While you can still look up listings, use route planning, and get ads, you won’t get what some what say is the most vital information on Google Maps: user reviews.
While you could sign-in to a Google account to restore full access, some may prefer switching to a different service entirely.
Here are five good alternatives that you could try:
Organic Maps — Organic Maps is widely considered the “gold standard” for privacy-conscious users. It is a fork of the original Maps.me, created by the original developers who wanted to strip out all the trackers and bloatware.
Magic Earth — If you miss Google Maps’ real-time traffic alerts and lane guidance, Magic Earth is your best bet. It manages to offer advanced “smart” features while remaining strictly no-profile.
OsmAnd — OsmAnd is the most feature-dense mapping app available. It’s not just a map; it’s a professional-grade geographic tool.
Apple Maps — In mid-2024, Apple finally brought Apple Maps to the web (currently in beta). Unlike Google, Apple’s web version actually functions better without a login, as it currently doesn’t even support signing in to an Apple ID on the browser.
DuckDuckGo Maps — If you are looking for the most seamless “Google Maps-like” experience in a web browser without ever being asked to sign in, DuckDuckGo is the winner. It uses Apple Maps’ MapKit JS framework, giving you high-quality visuals without the data-tracking baggage.
There are also regional apps and maps that sometimes offer better information and services than Google Maps. Kakaomap, for example, is seen as the superior app in almost any area, if you are in Korea.
Now You: do you use a map app or service? Any app that you can recommend?
Google has issued an urgent security update for the Chrome desktop browser following the discovery of a high-severity vulnerability being actively exploited in the wild.
The update, which brings the Stable channel to version 145.0.7632.75 or 145.0.7632.76 for Windows and Mac, and 144.0.7559.75 for Linux, specifically addresses a “use after free” flaw within the browser’s CSS engine.
Identified as CVE-2026-2441, the bug was reported by security researcher Shaheen Fazim just days prior, prompting an accelerated rollout to protect users from potential attacks that leverage this exploit to compromise system memory.
Here are the key points from the update:
New Versions: The Stable channel has been updated to 145.0.7632.75/76 for Windows and macOS, and 144.0.7559.75 for Linux.
Zero-Day Patch: The update addresses CVE-2026-2441, a high-severity security flaw classified as a “Use after free” vulnerability in CSS.
Active Threat: Google has confirmed that they are aware of an exploit for this specific vulnerability existing in the wild.
Rapid Response: The bug was reported by researcher Shaheen Fazim on February 11, 2026, just two days before the release of this patch.
Rollout: The update will continue to become available to all users over the coming days and weeks.
How to install the Chrome update
Most unmanaged Chrome installations should receive the update automatically. The browser is configured to install updates automatically by default. Since this does not happen immediately, it is recommended to run a manual check for updates to speed up the process.
Open Google Chrome and select Menu > Help > About Google Chrome to do so. The browser should begin downloading and installing the security update immediately.
Windows users may also run winget upgrade google.chrome.exe to install the update from the command line without opening Chrome at all.
Note that it is highly recommended to upgrade the browser, even if it is not the main browser on the system. In short, if the browser is installed, upgrade it to protect it from potential exploits.
Internet users have plenty of options to make their connections more private. Popular choices include content blocking, using VPNs, or disabling services or features that may reveal information about them.
However, in rare circumstances, it is the very tools designed to protect users that may reveal information about them.
Enter Adbleed
Adbleed is a proof-of-concept designed to highlight a specific privacy risk associated with the use of regional adblocking rules.
The tool functions by detecting which country-specific filter lists—such as EasyList Germany or Liste FR—are currently active within a user’s browser. By probing for the blocking of domains unique to these specific lists, Adbleed creates a “filter fingerprint” that can reveal a user’s likely country of origin or language preference.
This technique demonstrates that users can be partially de-anonymized based solely on their adblocking configuration, even when employing VPNs or proxies to mask their physical location.
The detection process follows three simple steps:
Domains: The tool uses a curated list of domains that are blocked exclusively by certain filter lists, such as EasyList Germany.
Probing: Adbleed attempts to load resources from these specific domains. It then looks at what is returned. Blocked requests, which happen near instantly, are what the tool is after. It measures the time it takes to get a response to distinguish blocked requests from other errors, e.g., network failures.
Fingerprinting: When a specific number of domains are blocked from a regional listing, Adbleed concludes that the list is active.
What does it mean? It means that a site can detect if certain regional content blocking lists are likely enabled. This adds another factor to fingerprinting attempts.
Mitigation & Protection
Here are a few suggestions to mitigate Adbleed or limit its use for fingerprinting:
Stick to the defaults. If you do not enable any regional lists, Adbleed won’t detect any, which in turn makes your configuration less unique.
Enable anti-fingerprinting: If the browser supports anti-fingerprinting techniques, make sure they are enabled.
Disable JavaScript or enable hard-mode blocking: This may not be practicable, especially the JavaScript part, but this should protect against this particular type of attack.
Use different browsers: If you use different browsers, you torpedo tracking attempts, as the trackers can’t link your activities between different apps or browsers (unless there is a common factor that is unique).
Adbleed demonstrates that the tools designed to protect users on the Internet can sometimes be used against them. It reveals how regional content blocking preferences may allow sites to fingerprint and track users. It is not an argument against content blocking, but rather a wake-up call that things are never as straightforward as they look like on first glance.
If January was the warm-up, February is the sprint.
Microsoft’s second Patch Tuesday of 2026 has arrived with significant urgency, addressing 59 vulnerabilities in total. While the total count is manageable, the severity is high, as it contains six zero-day vulnerabilities that are currently being exploited in the wild.
Here is the breakdown of what you need to know, what to patch first, and what might break.
Key Action Item: Administrators must prioritize workstation patching immediately due to three “one-click” security bypasses (Shell, MSHTML, Word) that allow code execution without user confirmation. Simultaneously, restrict and patch RDP servers to prevent the active SYSTEM-level escalation exploit (CVE-2026-21533).
Important Patches
CVE-2026-21510 — Windows Shell Security Feature Bypass Vulnerability
Security updates and non-security changes. Adds “Cross-Device resume” and MIDI 2.0 support.
Deep Dive: The Critical Vulnerabilities
Microsoft confirmed that six already exploited zero-day vulnerabilities are fixed after installing the cumulative updates. Attackers may exploit the issues on unpatched systems to bypass protections and gain system-level access.
Allows attackers to craft malicious links or shortcut files to bypass Mark of the Web (MotW) and Windows SmartScreen prompts. As a result, malicious payloads may execute on unpatched systems without the usual “Are you sure” security warnings of SmartScreen.
Allows attackers to bypass security prompts using malicious HTML files, if the Internet Explorer engine (MSHTML) is used for rendering. The threat is similar to the Windows Shell issue described above, as it may be used to skip security screens to run malicious code on target systems.
CVE-2026-21514 (Microsoft Word Security Feature Bypass)
The third of the feature bypasses, this exploits an issue in Object Linking & Embedding (OLE) in Microsoft Office. Attackers may use it to run malicious Word documents and sidestep certain protections designed to block the execution of risky external content.
CVE-2026-21519 (Desktop Window Manager Elevation of Privilege)
The vulnerability is a type confusion flaw in the Desktop Windows Manager (DWM). Attackers need basic access for exploitation, but if they have, they may use the flaw to elevate their privileges to SYSTEM level, which allows them to take control of the system.
CVE-2026-21533 (Windows Remote Desktop Services Elevation of Privilege)
Describes an improper privilege management flaw in Remote Desktop Protocol. Exploitation opens another route to SYSTEM privileges on unpatched system. Especially problematic in Enterprise environments, which usually use RDP a lot.
CVE-2026-21525 (Windows Remote Access Connection Manager Denial of Service)
A null pointer dereference issue in the VPN / Dial-up manager. A local attacker, even with low privileges, may use the issue to crash the service repeatedly.
Significant Changes in the February 2026 updates
The Virtual Secure Mode (VSM) restart loop bug is fixed.
Cross-Device resume arrives in Windows 11. When a phone is paired with the Windows system, its recent activities are now displayed in Start. You can continue those. Requires the latest Link to Windows app.
Native MIDI 2.0 support. The new protocol is now supported, which creators and audio engineers may take advantage of.
The Secure Boot change is entering the targeting phase. In this phase, Windows can determine whether the device’s UEFI is compatible with the upcoming certificate rotation. If it is, it will be queued to receive the actual update in the coming months. No user action required.
First Steps: Your Patch Tuesday Strategy
Patch the six zero-day vulnerabilities immediately. Start with user workstations.
If you paused updates in January because of the VSM restart loop bug, deploy this month’s cumulative update to get it fixed.
If you are using Chrome and are signed-in to a Google account, you may have received a fair share of requests to sign-in with your account on third-party websites, provided that you do not have an account there already.
The main idea is to make sign ups on third-party sites easier and more secure by using the Google account. Google provides the site with information to set up the account and you decide much of what you want to share and what not. The user password is never provided by Google, which is an advantage.
There are disadvantages: using one account for multiple sites and Google knowing which sites you create accounts on.
The prompts appear on site load and at least some users find them highly annoying. Not everyone wants to (or can) use Chrome without being signed in or switch to another browser. There is another option, but it is hidden deep in the Chrome settings.
How to stop Chrome from showing “Continue As” prompts
Here are the required steps for desktop Chrome:
Enable the block option in the Settings to prevent continue-as-prompts in the future.
Load chrome://settings/content/federatedIdentityApi in the browser’s address bar.
Enable “Block sign-in prompts from identity services” under Default Behavior.
This takes care of the prompts. You can add sites to the allow-list, but this is only useful if you want to create an account on the website using your Google information.
Here are the required steps for mobile Chrome:
In mobile Chrome, you need to open the setting manually.
Open the Settings.
Go to Site Settings.
Tap on Third-party sign-in.
Toggle “Third-party sign-in” so that it is off.
This blocks all future attempts in mobile versions of the Chrome web browser.
Manage existing connections
Google’s support page provides information on managing existing connections. You can review all connections on the third-party connections page on Google’s website.
Switch to the “Sign-In with Google” tab first. Google lists all connections and you may click on the “>” icon to display details. There you may remove it by selecting “Stop using Sign in with Google ” and confirm the decision.
Note that this severs the connection only, but it does not affect the data that the third-party site has accumulated.
What you may do instead
While the option to use your Google account on third-party sites may be convenient, most users may benefit from separating accounts.
Apart from providing Google and the third-party site with additional information, any successful account breach gives the attacker access to not only Google but all other sites with connections.
My suggestion: stick to the one site, one unique account rule, and turn off the prompts, if you do use Chrome and want to stay signed in. (source: Caschys Blog)
The popular open source plain text editor has become the target of state-sponsored hackers, according to a blog post. The Notepad++ developer released a detailed post-mortem on a severe supply chain attack that occurred between June and December 2025.
By compromising the application’s hosting provider, state-sponsored hackers were able to redirect update traffic to serve malicious files to users of the text editor.
It all started in 2025
When the developer of Notepad++ put out a security warning in December 2025, it was immediately clear that something critical happened. The blog post confirmed that a vulnerability of the updating process had been exploited for some time. Traffic “was occasionally redirected to malicious servers”, which resulted “in the download of compromised executables” according to the message.
The developer released Notepad++ 8.8.9 to address the issue. That version had been hardened according to the report by adding verification steps to the update process. In other words, Notepad++ checks whether the signature and the certificate of the downloaded installer (the new version) check out. If they do not, updating is aborted.
New information comes to light
The latest version of Notepad++ is 8.9.1 at the time of writing.
Today, a new blog post was published that provides detailed information on the incident. Here are the details:
The Breach Method: The attack was not a vulnerability in the Notepad++ code itself, but a compromise of its hosting provider’s infrastructure.
The Timeline: The hijacking occurred over a six-month period, starting in June 2025 and lasting until it was discovered and shut down on December 2, 2025.
State-Sponsored Attribution: Security researchers (including those from HarfangLab and ESET) linked the activity to “Taidoor,” a malware strain associated with Chinese state-sponsored threat actors.
Targeted Delivery: The attackers used a “Man-in-the-Middle” tactic via the WinGUp updater; however, they did not target every user, instead selectively delivering malicious updates to specific IP addresses or regions.
Infrastructure Migration: In response, Notepad++ has completely abandoned its previous hosting provider and migrated all binaries and update manifests to a new, more secure infrastructure.
Enhanced Security Measures: To prevent future incidents, new versions include mandatory signature verification and certificate pinning for all automated updates.
User Action Required: Users are urged to ensure they are running the latest version of Notepad++ and to be wary of any version installed or updated between the June and December window.
The latest version is Notepad 8.9.1. You can download it from the official website to make sure that a potentially compromised version is replaced.
You can check the installed version by opening Notepad++ and selecting ? > About Notepad++, or by pressing F1.
Today is officially “Change Your Password Day”, a special day designed to put cybersecurity top of mind. But before you rush to update your logins, pause for a moment: experts now warn that changing your password simply for the sake of the calendar might actually hurt your security more than it helps.
The idea behind the day is simple: Every year, go through your list of accounts and passwords, and change them. Why? The original logic behind the day dates back to a time when modern threat detection and additional layers of account protections did not exist.
Changing passwords frequently could disrupt brute force attempts, silent breaches, or accidental leaks. While that did make sense in some cases back in the days, it is seen as hurting more than it helps in most cases today. Even back then, it caused all kinds of inconveniences, for instance, when on the next day of work, employees starting to make calls to the IT department, because they could not get into their accounts anymore.
In fact, experts suggest that password should only be changed in very specific circumstances, such as:
Re-use of passwords across multiple sites, as it goes against the “one site, one unique password” recommendation.
Weak passwords, as todays computers can break into these in seconds or minutes.
Breached passwords, which is self-explanatory
When someone else might have access.
However, it is recommended to act immediately instead of waiting for password-day to come along.
This day, at best, is a reminder for users to look at their passwords and start changing the weak, leaked, or re-used ones immediately. While at it, it is recommended to set up another layer of protection, for instance two-factor authentication, for important accounts.
Here is why most security experts advise against frequent password changes: In many cases users pick easy to remember passwords, especially in organizations. The reason is simple: lack of a password manager requires that users remember the passwords. With frequent changes, this becomes a nuisance. Employees started to iterate passwords to help their memory, while others wrote them down to avoid having to contact the IT department to get the password reset ever so often.
The Modern Security Checklist
Run a check for data breaches. Go to HaveIBeenPwned.com (or use your password manager’s security dashboard) to see if your email or passwords have appeared in a known data leak. Change only the compromised ones immediately, including on other sites if the password was re-used.
Audit your passwords: Check for the following:
Password length: Too short means weak. Aim for at least 16 characters.
Password re-use: All passwords should be unique. If one gets breached, hackers only gain access to one account, not several.
Remove the ghosts: If you do not use an account anymore, close it.
Second layer: Consider Adding two-factor authentication or other means of protection to important accounts.
Check recovery options: Make sure email addresses or phone numbers are set correctly, backup codes stored securely, in case of an emergency account recovery.
The era of Tr0ub4dor&3 is over. In 2026, the best gift you can give your digital self is length, uniqueness, and a second layer of defense. So, celebrate “Change Your Password Day” the modern way: upgrade your security once, do it right, and then go enjoy the rest of your Sunday knowing your digital life is locked tight.
