Heartbleed

[tig]

http://filippo.io/Heartbleed/#www.mye28.com

Might want to fix this guys.

[mooseheadm5]

OK, looked it up, have contacted Justin.

[tig]

Heratbleed is likely the worst vulnerability the Internet has seen to date. I strongly suggest that after the sysops update the system that they invalidate everyone's passwords.

If you are not willing to go that far then all members would be advised to change their passwords. Especially if they use the same password on other sites.

[Justin_FL]

I can patch the server soon but from a quick reading it affects encrypted SSL data, which is not used by this forum.

[tig]

Best article explaining it I have found:

http://arstechnica.com/security/2014/04 ... tte-style/

[tig]

I can patch the server soon but from a quick reading it affects encrypted SSL data, which is not used by this forum.

Wow, I just noticed that the sign-in page does not use SSL.

This means that every user's password is SENT IN CLEAR TEXT when they enter it. This means that you should NEVER log in to mye28.com from wireless network that you are not 100% sure is secure (like a coffee shop) because it is likely that someone is sniffing the data and will see your password.

If you use that same password on other sites then all the hacker needs to know is your email address.

People using this forum should use extra care to use a UNIQUE password for this site from all other passwords they use.

Since the Heartbleed vulnerability gives attackers access to memory on the server it does not matter if SSL is actually in use or not. The test I pointed to above shows that the site is exploitable.

[tig]

[Jeremy]

People using this forum should use extra care to use a UNIQUE password for this site from all other passwords they use.

This is basic internet security to begin with. Re-using passwords is extremely hazardous. I use a common theme, but each password I create is non-identical to others.

[WilNJ]

This is basic internet security to begin with. Re-using passwords is extremely hazardous. I use a common theme, but each password I create is non-identical to others.

Purely for educational purposes, please share that password with us as well as your common theme.

I'm not security expert but something that I understand to be true about password security is that you're better off adding characters rather an overly complex password.

Feel free to blow me up if I'm wrong but I understand

mye28,,,,,,,,,,,,,,,,,,10

to be more robust than

mYe28iSc0ol

[jodystevens]

First of all it affects OpenSSL which this site does not use because it does not need it. It doesn't store any sensitive information like banking info, credit card numbers or even street addresses. So much media hype over an exploit that's been vulnerable for 2 years and has been patched by most banking sites already. Who cares if someone steals your forum password.

[Jeremy]

Who cares if someone steals your forum password.

A lot of people (very unwisely) re-use passwords and login names across multiple services. Getting a person's Yahoo credentials can gain a person access to their online banking, PayPal, and other services in this case.

I'm not security expert but something that I understand to be true about password security is that you're better off adding characters rather an overly complex password.

Yes, but ...

While what you wrote is true, it only counts if someone has unlimited attempts to "guess" your password. A brute force attack. These types of attacks are well protected against on internet sites, thus making your password complexity almost a non-factor for internet website passwords.

Password compromises usually happen by way of a keylogger tied to a trojan or other computer malware/virus. Protecting your computer from these types of attacks with effective anti-virus and anti-malware software is what is actually more effective at securing your online passwords compared to adding password complexity. Complexity is similarly useless against exploits such as Heartbleed.

Now, if you're creating a password to encrypt some data, there's a different set of security rules. And that's where complexity definitely plays a role.

[Brad D.]

I got an email at work today requiring a password change I use our Juniper SSL VPN service as well as many others on campus who may have been compromised due to Heartbleed.

[geordi]

Thanks for the post guys… i made the recommended change

[tig]

First of all it affects OpenSSL which this site does not use because it does not need it. It doesn't store any sensitive information like banking info, credit card numbers or even street addresses. So much media hype over an exploit that's been vulnerable for 2 years and has been patched by most banking sites already. Who cares if someone steals your forum password.

This site may not need SSL, but it did have the vulnerable version of OpenSSL installed and activated and listening on the SSL port (443). Because this vulnerability exposes server memory to the attacker it does not matter whether the site needs SSL or not.

[tig]

By far the best description of the Heartbleed bug.



Note, as I said before, normal traffic to the server does not have to use SSL for this to be exploitable.

[booker]

I suggest not using the internet anymore.

[rodpaine]

If you are on the Internet as much as I am and involved with a lot of password based accounts, than you really should be using '1Password' to help improve your password strength, which is pretty poor in my experience working with computer users, when I ran ASTEC Co., Inc. They also have comments about Heartbleed here...
http://email.agilewebsolutions.com/t/Vi ... 06BE9B4083
-Rod

[Jeremy]

I use LastPass personally, it has similar functionality. I still maintain that increasing password strength offers no increased protection for internet based services, however. All it truly does is makes your passwords harder to remember, thus increasing the chance you'll write it down, and then it's not "secure" at all.

[rodpaine]

Jeremy,
What your saying is partially correct, but during the 14 years I was configuring, installing and updating over 3,000 Macs primarily in small business offices and division offices in larger organizations, my experience with these systems was that poor passwords was the leading cause of difficulties, requiring my involvment. Out right computer failures, including failed hard disk drives and no backups to restore from, were way below the time I spent correcting poor password use and resultant problems. It is still an issue that I see is way too big, even now as an outsider.
-Rod

[Justin_FL]

FYI, I updated the server Wednesday evening in case anyone was wondering...

[Jeremy]

Rod-

Can you define "poor password use"? Were they just bad passwords, ie they were using password as the password or the password matched the login name?

What's the minimum complexity you would consider "safe" or "prudent"?

I'm curious because school forces us to use a password that's at least 8 characters long and includes a 2 out of three of: combination of upper and lower case characters, special characters, and numbers. These passwords expire and must be changed every 3 months, and you need to come up with an entirely new password every time. Once a password is used, it can never be used again with that account. I resorted to serializing my passwords in an effort to keep my remaining bits of sanity intact.

It takes a minimum of 38 keystrokes to log into a computer lab computer, then the same 38 keystrokes again to access your school e-mail, then the same 38 keystrokes a third time to access your classwork. It's absurd, and IMHO, completely unnecessary. IS security is not my forte, however, which is why I asked what you personally consider to be "good enough" in the password realm.