Equipped To Survive Equipped To Survive® Presents
The Survival Forum
Where do you want to go on ETS?

Page 4 of 10 < 1 2 3 4 5 6 ... 9 10 >
Topic Options
#268995 - 04/11/14 06:04 PM Re: Might be time to change your passwords [Re: Arney]
haertig Offline
Pooh-Bah

Registered: 03/13/05
Posts: 2322
Loc: Colorado
Originally Posted By: chaosmagnet
I'm afraid you're incorrect. This vulnerability is being exploited in the wild.

Quote:
“While there have not been any reported attacks or malicious incidents involving this particular vulnerability at this time, it is still possible that malicious actors in cyberspace could exploit un-patched systems,” the department said in a statement.

http://www.foxnews.com/tech/2014/04/11/h...b-use-dhs-says/

DHS is saying that there have not been any reported attacks or incidents involving Heartbleed. So I wonder what the real truth is, has this bug been exploited or not? Not that I trust anything DHS would say all that much...

Top
#268997 - 04/11/14 08:13 PM Re: Might be time to change your passwords [Re: haertig]
MostlyHarmless Offline
Old Hand

Registered: 06/03/09
Posts: 982
Loc: Norway
Originally Posted By: haertig

DHS is saying that there have not been any reported attacks or incidents involving Heartbleed. So I wonder what the real truth is, has this bug been exploited or not?


Nobody knows: Exploiting the vulnerability leaves no trail in the system being tapped.

Top
#268999 - 04/11/14 09:30 PM Re: Might be time to change your passwords [Re: haertig]
chaosmagnet Offline
Sheriff
Carpal Tunnel

Registered: 12/03/09
Posts: 3819
Loc: USA
Originally Posted By: haertig
DHS is saying that there have not been any reported attacks or incidents involving Heartbleed. So I wonder what the real truth is, has this bug been exploited or not? Not that I trust anything DHS would say all that much...


I have a non-zero number of customers who were attacked. There are public reports of attacks at http://www.theregister.co.uk/2014/04/11/hackers_hammering_heartbleed/, http://news.yahoo.com/u-government-warns-potential-attacks-heartbleed-bug-135137709--sector.html and other places.

Top
#269001 - 04/11/14 09:32 PM Re: Might be time to change your passwords [Re: MostlyHarmless]
chaosmagnet Offline
Sheriff
Carpal Tunnel

Registered: 12/03/09
Posts: 3819
Loc: USA
Originally Posted By: MostlyHarmless
Nobody knows: Exploiting the vulnerability leaves no trail in the system being tapped.


The exploit itself does leave tracks, depending on the service's logs. Services using the OpenSSL libraries can be configured to not log the right information, however.

Top
#269002 - 04/11/14 09:56 PM Re: Might be time to change your passwords [Re: Arney]
chaosmagnet Offline
Sheriff
Carpal Tunnel

Registered: 12/03/09
Posts: 3819
Loc: USA
Originally Posted By: Arney
as long as you remember that the strength comes from the length, not the apparent "randomness" of the letters and numbers.


Again, this is not always true, depending on the sophistication of the attack.

Top
#269022 - 04/12/14 08:56 PM Re: Might be time to change your passwords [Re: ireckon]
Brangdon Offline
Veteran

Registered: 12/12/04
Posts: 1204
Loc: Nottingham, UK
Originally Posted By: ireckon
It's about time for me to get off my ass and finally implement better password security. I have about 100 computer-related logins that require a password. So, I need to think of a system that doesn't repeat a password but allows me to memorize at the same time. This is a daunting task.
The only sane approach is a password manager. I use KeePass. This will generate new passwords of whatever length or alphabet you want, and keep them in a database. The database is encrypted, so you can back it up to non-secure locations. I use DropBox as an off-site backup and as a way of replicating the database to a variety of devices - desktop, tablet, phone. I have to remember the KeePass master password (which is a long, nonsensical phrase), and the DropBox password.

You can get add-ins for browsers that will attempt to recognise web pages and enter the correct password for you. I found they weren't reliable enough, and they also mean having the database open all the time you are browsing, so now I just copy and past between KeePass and the browser as needed. No-one shares my machine so I don't mind leaving websites logged in, so I don't need passwords every time.

I actually keep two password databases. The second one makes low security passwords more convenient. It has an easier master password that I can type quickly, and I don't mind leaving it open for extended periods. I use it for websites that don't have much at stake, especially forums.

There are several other password managers. I like KeePass because it is open source, and stores its password database locally. Some others store their database online, which means you can get to it from any device, but I think means you have to trust them more. Whatever you use, it should give you strong passwords that you don't need to memorise, and it avoids you ever having to reuse passwords. Just make sure you don't lose that password database or forget the master password.
_________________________
Quality is addictive.

Top
#269023 - 04/12/14 09:14 PM Re: Might be time to change your passwords [Re: ireckon]
Brangdon Offline
Veteran

Registered: 12/12/04
Posts: 1204
Loc: Nottingham, UK
Originally Posted By: ireckon
A dictionary attack to get "correcthorsebatterystaple" would consider about 200,000^4 combinations of words. How long would that take?
The answer is in the picture. It is not 200,000^4 combinations because those words are so common. If you look at his numbers, he is only claiming 11 bits of randomness per word, which means a dictionary of about 2000 words. 44 bits of randomness altogether. 550 years at 1000 guesses per second. In practice they can be a million times faster. It's only 5 hours at a billion guesses a second, and if they have a big cluster of GPUs or a botnet they could be hundreds of times faster than that.

Upshot is that 4 random words, 44 bits, isn't enough nowadays. It's better than Tr0ub4dor&3, but that's not saying much.

Quote:
It would actually be more combinations than that because the hack doesn't know how many words to consider (e.g., 1 word or 9 words?)
That doesn't make as much difference as you might expect. Checking all one word passwords, then all two word, then all three word, doesn't take much longer than checking all three word passwords because there are 2000 times as many three word passwords as two word ones.
_________________________
Quality is addictive.

Top
#269024 - 04/12/14 09:24 PM Re: Might be time to change your passwords [Re: haertig]
Brangdon Offline
Veteran

Registered: 12/12/04
Posts: 1204
Loc: Nottingham, UK
Originally Posted By: haertig
I replace letters/numbers with their "equivalent". e.g., e with 3, s with 5, a with 8, l with 1, o with 0, etc. I do it both ways ... so e with 3 and 3 with e.
Then I alternate holding the <shift> key down to capitalize every other keystroke
Those kinds of transformations are known to hackers and easy to automate. There's a good (if long) article about hacking that kind of rule-based password on Ars Technica.

Quote:
But for passwords for the less critical stuff, say for my login here on ETS, I use simpler passwords. I have lots and lots of these less secure, but still decent quality, passwords. Since I can't remember them all in my head, I store them in the "KeePass" application.
Since you are using KeePass, why don't you let it generate strong passwords for you? Your ".es7rug3rm8g" is 75 bits, which is much better than "correcthorsebatterystaple", but KeePass routinely gives me over 128 bits.
_________________________
Quality is addictive.

Top
#269036 - 04/13/14 04:05 PM Re: Might be time to change your passwords [Re: Mark_R]
ireckon Offline
Pooh-Bah

Registered: 04/01/10
Posts: 1629
Loc: Northern California
Apparently, the NSA knew about Heartbleed bug and took advantage of it, but the NSA denies the charge.

http://gigaom.com/2014/04/11/nsa-knew-about-devastating-heartbleed-bug-and-used-it/
_________________________
If you're reading this, it's too late.

Top
#269038 - 04/13/14 06:06 PM Re: Might be time to change your passwords [Re: Brangdon]
ireckon Offline
Pooh-Bah

Registered: 04/01/10
Posts: 1629
Loc: Northern California
[DELETE]
_________________________
If you're reading this, it's too late.

Top
Page 4 of 10 < 1 2 3 4 5 6 ... 9 10 >



Moderator:  Alan_Romania, Blast, chaosmagnet, cliff 
March
Su M Tu W Th F Sa
1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
31
Who's Online
0 registered (), 456 Guests and 71 Spiders online.
Key: Admin, Global Mod, Mod
Newest Members
GallenR, Jeebo, NicholasMarshall, Yadav, BenFoakes
5367 Registered Users
Newest Posts
What did you do today to prepare?
by dougwalkabout
03/27/24 11:21 PM
Zippo Butane Inserts
by dougwalkabout
03/27/24 11:11 PM
Question about a "Backyard Mutitool"
by Ren
03/17/24 01:00 AM
Problem in my WhatsApp configuration
by Chisel
03/09/24 01:55 PM
New Madrid Seismic Zone
by Jeanette_Isabelle
03/04/24 02:44 PM
EDC Reduction
by EchoingLaugh
03/02/24 04:12 PM
Newest Images
Tiny knife / wrench
Handmade knives
2"x2" Glass Signal Mirror, Retroreflective Mesh
Trade School Tool Kit
My Pocket Kit
Glossary
Test

WARNING & DISCLAIMER: SELECT AND USE OUTDOORS AND SURVIVAL EQUIPMENT, SUPPLIES AND TECHNIQUES AT YOUR OWN RISK. Information posted on this forum is not reviewed for accuracy and may not be reliable, use at your own risk. Please review the full WARNING & DISCLAIMER about information on this site.