Change those passwords!

I finally read up on the Heartbleed vulnerability last night & looked over the list of known high-profile sites that were vulnerable.

Now would be an excellent time to change all your passwords. For sites that are protected with 2-factor authentication, your risk is lower, but it’s still not bad idea. Make use of 2-factor auth everywhere you can.

According to 1Password, about 50% of my passwords are more than 3 years old. I’ve got a lot of resetting to do.

If you’re changing your password now, you will need to do it again once there’s a notice that the website you’re logging into has applied the patch.

Today’s xkcd is a simple description of how it works. It’s kind of like a reverse buffer overrun, where the attacker tricks it into returning more data than what was requested.

Fortunately, there’s a way to check sites. http://filippo.io/Heartbleed/

Some gotchas with those checks.

Some of them look to see if the certificate issue dates are post advisory. Unfortunately some reissues don’t change the dates, just the serial numbers. That means some checks will claim the site hasn’t installed a fresh certificate.

There are also for a number of packages settings that make some of the tests fail, while the site is still vulnerable. Then there are the firewall settings or IDS rules that will interfere with unencrypted tests, but not with encrypted tests (which few people do).

Oh, and for goodness sake don’t poke Juniper firewalls on their management interface to find out if they’re patched.

Don’t forget Cisco and Juniper came out and said some of their hardware is vulnerable as well. So not only are the web and server admins going to be busy but so are the network guys.

And lots of embedded devices, clients that use OpenSSL libraries, phones, managed switches… oh, and let’s not overlook your Blu-Ray player, Smart TV, possibly your game console.

Thread necromancy:

SplashData has released the new annual list of top password fails:

Whew. k84}Q2/8di6cZm7q isn’t on the list. I’m still safe.

Oh crap.

That’s OK, dak. Just change it to k84}Q2/8di6cZm7r.

1 Like

That’s a horrible thing to say about about somebody’s mother.

And apparently the creds for the PC version of Minecraft have been taken…

And this year’s winners are…

LastPass + YubiKey. I don’t even know what most of my own passwords are any more.