#268995 - 04/11/14 06:04 PM
Re: Might be time to change your passwords
[Re: Arney]
|
Pooh-Bah
Registered: 03/13/05
Posts: 2322
Loc: Colorado
|
I'm afraid you're incorrect. This vulnerability is being exploited in the wild. “While there have not been any reported attacks or malicious incidents involving this particular vulnerability at this time, it is still possible that malicious actors in cyberspace could exploit un-patched systems,” the department said in a statement. http://www.foxnews.com/tech/2014/04/11/h...b-use-dhs-says/DHS is saying that there have not been any reported attacks or incidents involving Heartbleed. So I wonder what the real truth is, has this bug been exploited or not? Not that I trust anything DHS would say all that much...
|
Top
|
|
|
|
#268997 - 04/11/14 08:13 PM
Re: Might be time to change your passwords
[Re: haertig]
|
Old Hand
Registered: 06/03/09
Posts: 982
Loc: Norway
|
DHS is saying that there have not been any reported attacks or incidents involving Heartbleed. So I wonder what the real truth is, has this bug been exploited or not?
Nobody knows: Exploiting the vulnerability leaves no trail in the system being tapped.
|
Top
|
|
|
|
#269001 - 04/11/14 09:32 PM
Re: Might be time to change your passwords
[Re: MostlyHarmless]
|
Sheriff
Carpal Tunnel
Registered: 12/03/09
Posts: 3842
Loc: USA
|
Nobody knows: Exploiting the vulnerability leaves no trail in the system being tapped. The exploit itself does leave tracks, depending on the service's logs. Services using the OpenSSL libraries can be configured to not log the right information, however.
|
Top
|
|
|
|
#269002 - 04/11/14 09:56 PM
Re: Might be time to change your passwords
[Re: Arney]
|
Sheriff
Carpal Tunnel
Registered: 12/03/09
Posts: 3842
Loc: USA
|
as long as you remember that the strength comes from the length, not the apparent "randomness" of the letters and numbers. Again, this is not always true, depending on the sophistication of the attack.
|
Top
|
|
|
|
#269022 - 04/12/14 08:56 PM
Re: Might be time to change your passwords
[Re: ireckon]
|
Veteran
Registered: 12/12/04
Posts: 1204
Loc: Nottingham, UK
|
It's about time for me to get off my ass and finally implement better password security. I have about 100 computer-related logins that require a password. So, I need to think of a system that doesn't repeat a password but allows me to memorize at the same time. This is a daunting task. The only sane approach is a password manager. I use KeePass. This will generate new passwords of whatever length or alphabet you want, and keep them in a database. The database is encrypted, so you can back it up to non-secure locations. I use DropBox as an off-site backup and as a way of replicating the database to a variety of devices - desktop, tablet, phone. I have to remember the KeePass master password (which is a long, nonsensical phrase), and the DropBox password. You can get add-ins for browsers that will attempt to recognise web pages and enter the correct password for you. I found they weren't reliable enough, and they also mean having the database open all the time you are browsing, so now I just copy and past between KeePass and the browser as needed. No-one shares my machine so I don't mind leaving websites logged in, so I don't need passwords every time. I actually keep two password databases. The second one makes low security passwords more convenient. It has an easier master password that I can type quickly, and I don't mind leaving it open for extended periods. I use it for websites that don't have much at stake, especially forums. There are several other password managers. I like KeePass because it is open source, and stores its password database locally. Some others store their database online, which means you can get to it from any device, but I think means you have to trust them more. Whatever you use, it should give you strong passwords that you don't need to memorise, and it avoids you ever having to reuse passwords. Just make sure you don't lose that password database or forget the master password.
_________________________
Quality is addictive.
|
Top
|
|
|
|
#269023 - 04/12/14 09:14 PM
Re: Might be time to change your passwords
[Re: ireckon]
|
Veteran
Registered: 12/12/04
Posts: 1204
Loc: Nottingham, UK
|
A dictionary attack to get "correcthorsebatterystaple" would consider about 200,000^4 combinations of words. How long would that take? The answer is in the picture. It is not 200,000^4 combinations because those words are so common. If you look at his numbers, he is only claiming 11 bits of randomness per word, which means a dictionary of about 2000 words. 44 bits of randomness altogether. 550 years at 1000 guesses per second. In practice they can be a million times faster. It's only 5 hours at a billion guesses a second, and if they have a big cluster of GPUs or a botnet they could be hundreds of times faster than that. Upshot is that 4 random words, 44 bits, isn't enough nowadays. It's better than Tr0ub4dor&3, but that's not saying much. It would actually be more combinations than that because the hack doesn't know how many words to consider (e.g., 1 word or 9 words?) That doesn't make as much difference as you might expect. Checking all one word passwords, then all two word, then all three word, doesn't take much longer than checking all three word passwords because there are 2000 times as many three word passwords as two word ones.
_________________________
Quality is addictive.
|
Top
|
|
|
|
#269024 - 04/12/14 09:24 PM
Re: Might be time to change your passwords
[Re: haertig]
|
Veteran
Registered: 12/12/04
Posts: 1204
Loc: Nottingham, UK
|
I replace letters/numbers with their "equivalent". e.g., e with 3, s with 5, a with 8, l with 1, o with 0, etc. I do it both ways ... so e with 3 and 3 with e. Then I alternate holding the <shift> key down to capitalize every other keystroke Those kinds of transformations are known to hackers and easy to automate. There's a good (if long) article about hacking that kind of rule-based password on Ars Technica. But for passwords for the less critical stuff, say for my login here on ETS, I use simpler passwords. I have lots and lots of these less secure, but still decent quality, passwords. Since I can't remember them all in my head, I store them in the "KeePass" application. Since you are using KeePass, why don't you let it generate strong passwords for you? Your ".es7rug3rm8g" is 75 bits, which is much better than "correcthorsebatterystaple", but KeePass routinely gives me over 128 bits.
_________________________
Quality is addictive.
|
Top
|
|
|
|
#269038 - 04/13/14 06:06 PM
Re: Might be time to change your passwords
[Re: Brangdon]
|
Pooh-Bah
Registered: 04/01/10
Posts: 1629
Loc: Northern California
|
[DELETE]
_________________________
If you're reading this, it's too late.
|
Top
|
|
|
|
|
|
|
|
|
|
1
|
2
|
3
|
4
|
5
|
6
|
7
|
8
|
9
|
10
|
11
|
12
|
13
|
14
|
15
|
16
|
17
|
18
|
19
|
20
|
21
|
22
|
23
|
24
|
25
|
26
|
27
|
28
|
29
|
30
|
|
1 registered (Ren),
861
Guests and
2
Spiders online. |
Key:
Admin,
Global Mod,
Mod
|
|
|