My heart bleeds for the hackers

[1eyedjack]

All the hackers out there in the world must be cursing Heartbleed, I reckon. All those thousands of compromised accounts and stored up passwords that they had, which had NOTHING to do with Heartbleed, are now going to get changed by a population who have suddenly woken up to the importance of changing them. Ha Ha.

[PassedOut]

Good subject line.

:D

[kenberg]

I should change my password?

 

I try to be good. I eat my veggies. I go for walks. I count high card points. Change my password? I suppose the next things is that I will have to fasten my seatbelt.

[mycroft]

Yeah, this is probably the time to make my keepass database actually the way it should be - every account with a different, random password...

[ggwhiz]

The Canada Revenue Agency is extending the tax deadline by the amount of time e-filing and other services are unavailable.

 

In a further system enhancement late penalties and interest will now be charged on a per minute (or part thereof rounded up) with a new deadline of May 3rd at 1:52:14 am. The heartbleed reports were developed in cooperation between the NSA and CSIS as cover for this important tax enhancement and the bonus revenue they scoop from the overtime earnings of IT consultants in every major industry.

[PassedOut]

Yeah, this is probably the time to make my keepass database actually the way it should be - every account with a different, random password...

Same here. We had mostly done that, but found a couple of old passwords still in the database. Then we make sure that the Keepass password is not stored electronically.

[sharon j]

Do all passwords need to be changed? I have a very long list. Should we only change passwords to financial and personal accounts?

Probably a stupid question, but I really need some advice.

[mycroft]

any password that is ever used for any site that you think you need to protect from either:

- people logging in and reading your stuff, or

- people logging in and taking your stuff, or

- people logging in and ruining your reputation by pretending to be you

 

needs to be changed, *after* it has been proven to either not be affected by the bug, or that it has been fixed. If you change it while it's still vulnerable, it's *more* likely to be compromised than if you don't do anything with it (as it's a "I can read traffic" bug, not a "I can crack passwords" bug).

 

Sure, change financial and personal accounts; but any account that used that same password (which shouldn't happen, but I know it does) needs to change as well.

 

This may be time to change to a password locker (I use KeePass), where:

- you can have different passwords to each account (database accessed through a single passphrase - which should be harder to crack than any password, if you do it right)

- it will assist you populating the password into the application (so there are several applications I've never even seen the password to), and

- it can expire passwords and "force" you to change them on regular intervals (and in normal situations, this is a minor task; I will admit, changing *everything* all at once is a headache, as each change does take about twice the time it would without the locker. However, the passwords almost never fail app's "too easy" policies, so you don't have to rework them (sometimes they violate their "too hard" policies, though - "Password must be between 8 and 15 characters" (why?))

 

Now the issue with *that* is the NSA worry - if someone puts a keylogger on your device, they get the master passphrase, and then after stealing your locker, have *all* your passwords. But that's still less likely (unless you count the NSA) than someone getting one, and then using it to compromise all the accounts you use that password on (because you only have 3).

[Vampyr]

What is this all about?

[barmar]

What is this all about?

The Heartbleed bug that affects most web sites. It's been all over the news for the past couple of days.

 

http://heartbleed.com/

[barmar]

As usual, XKCD is right on top of this.

 

http://imgs.xkcd.com/comics/heartbleed_explanation.png

 

And the tooltip that pops up when you hover over the cartoon at the real site is

 

 

Are you there, server? It's me, Margaret

 

[sharon j]

thanks so much for the help

[jallerton]

I have a question for BBO.

 

Are the passwords used to log in to BBO/BBO Forums potentially vulnerable to 'Heartbleed'?

[FM75]

I have a question for BBO.

 

Are the passwords used to log in to BBO/BBO Forums potentially vulnerable to 'Heartbleed'?

 

If you want the answer to that, post the question on one of the BBO forums. They are vulnerable if people stored them on some other public site. If the question is a BBO security question, then it boils down to whether they used the affected versions of the OpenSSL software.

 

Best advice. Just change your password. - (BBO bucks are not very fungible - so you probably have nothing to worry about.) But if they were vulnerable, they will remain vulnerable until they change the software version with which they built the system.

 

 

 

[jallerton]

Thanks. I have taken your advice and have posed the question on the general BBO Discussion Forum.