Mein-♥-brennt: Changing your passwords

[LaurV]

Heartbleed
(Not very well documented, but it makes you say hmm..., better you search the web for more details, the noise is on the raising now)

[tServo]

Quote:

Originally Posted by LaurV

Heartbleed
(Not very well documented, but it makes you say hmm..., better you search the web for more details, the noise is on the raising now)

LaurV is right and perhaps understated it a bit.
This looks VERY VERY bad, indeed! It affects servers, the estimate I just saw
said about 500,00 of them. For instance, every Apache server has this vulnerability ! Since it is on the server side, there is no protection on your client
machine to avoid this. CNET has a pretty good article as does heartbleed.com.
I'm sure there will be plenty of others.
The hell of it is: you can't try to fix this until the company that owns the servers
has done their part. only then can you change your passwords.
Also, if the hackers have saved intercepted data, they now have the means
to use it.

[cheesehead]

I don't usually quote full articles, but I'm making an exception for this:

"The Heartbleed Aftermath Drags On: What Passwords You Need to Change Now"
https://www.yahoo.com/tech/the-heart...296501283.html
(I hope you'll excuse my quoting this entire article. If you think it is unwarranted in this case, please say so and why, so I can adjust my judgement in future cases.

Note the last sentence linking to an article about passwords,)

Quote:

Originally Posted by Alyssa Bereznak, Tech Columnist

This week the web was rocked by a security bug called Heartbleed. In short, it’s a flaw in a commonly used security system that potentially two-thirds of websites use to keep information like your passwords secure.

As I mentioned yesterday, all you can really do about the flaw is change your passwords. But it’s best to wait to do that until a website has fixed everything. Otherwise you could very well be handing over your new password to an undetected attacker.

By now, most sites that were vulnerable to the flaw have patched it.

Some good news first: The login information for your bank is most likely safe. The following financial institutions have not been affected by Heartbleed: Bank of America, Chase, E*Trade, Fidelity, PNC, Schwab, Scottrade, TD Ameritrade, TD Bank, U.S. Bank, and Wells Fargo.

And now it’s time for everyone’s faaaaavorite game: What Passwords Do I Need to Change Today?

First up:

Email providers
Here are the ones that were vulnerable:

• Yahoo Mail: Was affected! But patched. You should change your password.

• Gmail: Was affected! But patched. A Google representative told Mashable you need not change your password. But you should probably do it anyway, just in case.

And the ones that were not:

• AOL: Was not affected. You do not need to change your password.

• Hotmail/Outlook: Was not affected. You do not need to change your password.

Hey, that was a fun round. Now let’s move on to …

Online stores
Here are the ones that were vulnerable:

• Amazon Web Services (for website operators): Was affected. If you use Elastic Load Balancing, Amazon EC2, Amazon Linux AMI, Red Hat Enterprise Linux, Ubuntu, AWS OpsWorks, AWS Elastic Beanstalk, or Amazon CloudFront, you should change your password.

• eBay: Was probably not affected. But you should change your password just in case.

• GoDaddy: Was affected! But patched. You should change your password.

And the ones that were not:

• Amazon: Was not affected. You do not need to change your password.

• PayPal: Was not affected. You do not need to change your password.

• Target: Was not affected. You do not need to change your password.

Tax- and government-related
Here are the ones that were vulnerable:

• Intuit (TurboTax): Was affected! But patched. You should change your password.

And the ones that were not:

• Healthcare.gov: Was not affected. You do not need to change your password.

• 1040.com: Was not affected. You do not need to change your password.

• FileYour Taxes.com: Was not affected. You do not need to change your password.

• H&R Block: Was not affected. You do not need to change your password.

• IRS: Was not affected. You do not need to change your password.

Social networks
Here are the ones that were vulnerable:

• Tumblr: Was affected! But patched. You should change your password.

• Twitter: Unclear. It’s “monitoring the situation.” So maybe wait a few more days and then change your password.

• Facebook: Unclear! It has “added protections,” so it’d be best to change your password.

And one that was not:

• LinkedIn: Was not affected. You do not need to change your password.

Other important websites
Here are the ones that were vulnerable:

• Google: Was affected! But patched. Google says you don’t need to, but just to be safe, you should probably change your password for the following Google services: Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine. Google Chrome and Chrome OS were not affected.

• Yahoo: Was affected! But patched. You should change your password.

• Dropbox: Was affected! But patched. You should change your password.

• OkCupid: Was affected! But patched. You should change your password.

• SoundCloud: Was affected! But patched. You should change your password.

• Wunderlist: Was affected! But patched. You should change your password.

• IFTTT: Was affected! But patched. You should change your password.

• Netflix: Was affected. But patched. You should change your password.

And the ones that were not:

• Apple: An Apple spokesperson told Yahoo Tech that “Apple takes security very seriously. iOS and OS X never incorporated the vulnerable software and key web-based services were not affected.” So, no need to change your password.

• Amazon: Was not affected. You do not need to change your password.

• Microsoft: Was not affected. You do not need to change your password.

• Evernote: Was not affected. You do not need to change your password.

• Dashlane: Was not affected. You do not need to change your password.

And that concludes this week’s episode of “Secure or Not?” We’ll see you back here next time someone breaks the Internet. A special hat-tip to Mashable, from whom we sourced some of this info.

In the meantime, check out my colleague Rafe Needleman’s column on how to create super-strong passwords.

Note that last sentence linking to an article ("Weekend Project: Fix Your Passwords") about passwords,

[TheMawn]

http://xkcd.com/936/

[cheesehead]

Let the record show that the original title of this thread was

Heartbleed: Changing your passwords

[cheesehead]

The discoverers of the Heartbleed Bug (it's a software bug -- i.e., programming mistake -- rather than a virus or other malware) have created a website (heartbleed.com) with all sorts of spiffy information, much of which will be of interest mainly to people who know what "SSL/TLS" means without looking it up.

[cheesehead]

Personal note:

This is the one ... the security problem that's big enough and bad enough to motivate me to get up and do what I should have done a decade ago: start using a password manager.

I've chosen one listed in the article "Weekend Project: Fix Your Passwords" at https://www.yahoo.com/tech/weekend-p...304267876.html

One of the first things I've learned is that using a password manager requires, as a first step, that I create a strong password for use as the Master Password. However, the password manager itself cannot suggest or create one for me (for excellent reasons).

Since the master password is one that I'll have to reliably remember, I've consulted other advice on how to create strong passwords that can be reliably remembered.

Note: the consequence of forgetting that master password would be that all the stuff (usernames and passwords for sites, other stuff for filling in forms, ...) the password manager had encrypted (using that master password) and stored for me would be unavailable. Then I'd have to start all over with getting the password manager to remember those sites, usernames. passwords, form fill-ins, and so on -- as though I'd just installed the password manager and never used it before.

[xilman]

Quote:

Originally Posted by cheesehead

Since the master password is one that I'll have to reliably remember, I've consulted other advice on how to create strong passwords that can be reliably remembered.

It doesn't particularly need to be memorable, though that may be helpful. You can safely write down passwords as long as they are kept in a physically secure place accessible only by authorized personelle. As always, keeping at least two copies in at least two physically distinct places is generally a good idea.


Paul

[Uncwilly]

Quote:

Originally Posted by xilman

It doesn't particularly need to be memorable, though that may be helpful. You can safely write down passwords as long as they are kept in a physically secure place accessible only by authorized personelle.

Someone that used to work at a store, that had a safe that had its combination regularly changed taught me a trick. They themselves almost never ever had to open the safe, but at times they might be the only person at the location trusted enough to have the combination, so they had to have it. What they would do is, take the 4 numbers and hide them inside of phone numbers that were well known to them. They would take the resultant numbers and run an adding machine tape with them and a grand total (the figure would look like store sales or some such.) Then they could safely keep that strip of paper in their wallet. Anyone finding it would not be able to tell what it was. And with all the chaff in there it would be impossible to find the combo. The phone numbers were not written anywhere else within their wallet.

[xilman]

Quote:

Originally Posted by Uncwilly

Someone that used to work at a store, that had a safe that had its combination regularly changed taught me a trick. They themselves almost never ever had to open the safe, but at times they might be the only person at the location trusted enough to have the combination, so they had to have it. What they would do is, take the 4 numbers and hide them inside of phone numbers that were well known to them. They would take the resultant numbers and run an adding machine tape with them and a grand total (the figure would look like store sales or some such.) Then they could safely keep that strip of paper in their wallet. Anyone finding it would not be able to tell what it was. And with all the chaff in there it would be impossible to find the combo. The phone numbers were not written anywhere else within their wallet.

I do sometbing similar. I keep a memorized "one-time-pad" which I add modulo 10 to printed numbers to generate key PINs. Not completely secure, given that it's a many-time pad, but easily sufficient for the threat model I use.

[cheesehead]

Thanks, guys.

Meanwhile, I've looked at some random password generator sites.

Random.org -- really random (atmospheric noise), but it transfers the password to your browser via SSL, which is exactly what has the bug.

https://identitysafe.norton.com/password-generator# -- apparently transfers the generated password(s) from its site to your browser, rather than generating then inside your browser via JavaScript. Does it use SSL?

http://passwordsgenerator.net/ -- has an option for whether to generate the password "on the client" rather than transmit it across the Internet.

http://strongpasswordgenerator.com/ -- apparently always generates the password inside your browser via JavaScript.