http://www.foxnews.com/tech/2014/04/11/h...b-use-dhs-says/

DHS is saying that there have not been any reported attacks or incidents involving Heartbleed. So I wonder what the real truth is, has this bug been exploited or not? Not that I trust anything DHS would say all that much...

Nobody knows: Exploiting the vulnerability leaves no trail in the system being tapped.

I have a non-zero number of customers who were attacked. There are public reports of attacks at http://www.theregister.co.uk/2014/04/11/hackers_hammering_heartbleed/, http://news.yahoo.com/u-government-warns-potential-attacks-heartbleed-bug-135137709--sector.html and other places.

The exploit itself does leave tracks, depending on the service's logs. Services using the OpenSSL libraries can be configured to not log the right information, however.

Again, this is not always true, depending on the sophistication of the attack.

The only sane approach is a password manager. I use KeePass. This will generate new passwords of whatever length or alphabet you want, and keep them in a database. The database is encrypted, so you can back it up to non-secure locations. I use DropBox as an off-site backup and as a way of replicating the database to a variety of devices - desktop, tablet, phone. I have to remember the KeePass master password (which is a long, nonsensical phrase), and the DropBox password.

You can get add-ins for browsers that will attempt to recognise web pages and enter the correct password for you. I found they weren't reliable enough, and they also mean having the database open all the time you are browsing, so now I just copy and past between KeePass and the browser as needed. No-one shares my machine so I don't mind leaving websites logged in, so I don't need passwords every time.

I actually keep two password databases. The second one makes low security passwords more convenient. It has an easier master password that I can type quickly, and I don't mind leaving it open for extended periods. I use it for websites that don't have much at stake, especially forums.

There are several other password managers. I like KeePass because it is open source, and stores its password database locally. Some others store their database online, which means you can get to it from any device, but I think means you have to trust them more. Whatever you use, it should give you strong passwords that you don't need to memorise, and it avoids you ever having to reuse passwords. Just make sure you don't lose that password database or forget the master password.

The answer is in the picture. It is not 200,000^4 combinations because those words are so common. If you look at his numbers, he is only claiming 11 bits of randomness per word, which means a dictionary of about 2000 words. 44 bits of randomness altogether. 550 years at 1000 guesses per second. In practice they can be a million times faster. It's only 5 hours at a billion guesses a second, and if they have a big cluster of GPUs or a botnet they could be hundreds of times faster than that.

Upshot is that 4 random words, 44 bits, isn't enough nowadays. It's better than Tr0ub4dor&3, but that's not saying much.

That doesn't make as much difference as you might expect. Checking all one word passwords, then all two word, then all three word, doesn't take much longer than checking all three word passwords because there are 2000 times as many three word passwords as two word ones.

Those kinds of transformations are known to hackers and easy to automate. There's a good (if long) article about hacking that kind of rule-based password on Ars Technica.

Since you are using KeePass, why don't you let it generate strong passwords for you? Your ".es7rug3rm8g" is 75 bits, which is much better than "correcthorsebatterystaple", but KeePass routinely gives me over 128 bits.

Apparently, the NSA knew about Heartbleed bug and took advantage of it, but the NSA denies the charge.

http://gigaom.com/2014/04/11/nsa-knew-about-devastating-heartbleed-bug-and-used-it/

[DELETE]