Regarding password security

Read about the latest happenings at ForumGarden.com.
Post Reply
FG-administator
Posts: 957
Joined: Wed Dec 22, 2010 10:35 pm

Regarding password security

Post by FG-administator »

I note the article on today's BBC News website: Heartbleed Bug: Public urged to reset all passwords

As might have been predicted, the deliberately alarmist title is so inaccurate as to be bogus claptrap. The security breach relates only to sites offering https, and ForumGarden along with most websites doesn't. No ForumGarden password is compromised as a result of this particular coding flaw.

As for banking or email sites I suggest members check whether they have a problem by looking up specific https websites at https://www.ssllabs.com/ssltest/index.html


☎|||||||||||

Who has a spare two minutes a day to play in this month's FG Trivia game!



Your satisfactory is our goals
User avatar
Snowfire
Posts: 4835
Joined: Wed Mar 11, 2009 9:34 am

Regarding password security

Post by Snowfire »

That would include Facebook and email (outlook)
"He has all the virtues I dislike and none of the vices I admire."

Winston Churchill
User avatar
LarsMac
Posts: 13701
Joined: Fri Nov 27, 2009 9:11 pm
Location: on the open road
Contact:

Regarding password security

Post by LarsMac »

So, the consensus seems to be that going back and changing your password, just now, would probably be a bad idea, because it would increase the chance that your information would be in the memory cash when someone drops in and gathers the data.

Simplest thing to do is NOT sign in to those sites until they have applied the fix on the server. THEN go around and change passwords.

Avoiding Heartbleed Hype, What To Do To Stay Safe - Forbes



There are complex conditions as to whether your data may or may not have been retrieved, and you should assume details like passwords may have been stolen, but a blind reset of everything could actually make it more likely that you lose your details. You need to reset passwords once a provider has patched.
The home of the soul is the Open Road.
- DH Lawrence
FG-administator
Posts: 957
Joined: Wed Dec 22, 2010 10:35 pm

Regarding password security

Post by FG-administator »

There may somewhere still be a https website which hasn't patched OpenSSL among the original 17% of those which were vulnerable, but I think you'd be hard pressed to find it. It's a pretty safe bet that resetting those passwords today would be a good idea. I had a happy hour yesterday changing those on my email and banking accounts.

I'd guess that 99% of all stolen passwords are taken from client computers by malign software installed after their witless owners have either given permission or operated without adequate virus protection. The first line of defense for practically everyone on the planet ought to be a factory reset of their home computer. I'd not trust my smartphone with a financially-sensitive password either, because I have no idea at all how a smartphone can be expected to protect it.


☎|||||||||||

Who has a spare two minutes a day to play in this month's FG Trivia game!



Your satisfactory is our goals
FG-administator
Posts: 957
Joined: Wed Dec 22, 2010 10:35 pm

Regarding password security

Post by FG-administator »

LarsMac;1451720 wrote: Avoiding Heartbleed Hype, What To Do To Stay Safe - Forbes


I've just red James Lyne's earlier article on passwords at Yahoo Hacked And How To Protect Your Passwords - Forbes

I take issue with some of the things he says. Under "Avoid using the same password across multiple sites [...] I know this presents a memory challenge", for example - no no no. There is no excuse ever for remembering a password. If a password can be remembered then it's a piss-poor password by definition. No password should ever have to be typed or people will skimp and make an easily-typeable password.

Given which, I note that Paypal (among other sites) has a shockingly dreadful policy of not permitting new passwords to be pasted into their password change form. That means every Paypal password HAS to be typed (twice - once for confirmation) whenever it's changed. That's an atrocious policy which seems designed to get people to use weak passwords, Paypal should be ashamed of themselves.

James Lyne mentions restricted password length in passing, but it's commonplace across the Internet and abysmal practice. There is no excuse whatever for restricting the customer's choice of password length, and (from recent experience) I've hit boundaries at 26, 24, 21, 18, 16 characters where the limit could all reasonably be, say, 250. The shortest maximum I've hit this year is a 6 character password limit on, of all places, the UK Government Gateway!. Why are these web implementors doing such incredibly stupid things? Very few sites actually allow me to use the default password length my own password generator is set to, 48 characters. I'm constantly having to trim passwords down to the point where a website will accept it.

His point about lying to questions like "what school did you attend" is vital. Personally I just drag another entry out of my password generator to answer any such question because the answer needs to be no less secure than the password itself, since it can be used to unlock the account.

And yes, of course everyone ought to be using a password manager of some sort. Remembering passwords is a shortcut to skimping, the end results will either be guessable if there's a pattern, or too short, or re-used on multiple sites.


☎|||||||||||

Who has a spare two minutes a day to play in this month's FG Trivia game!



Your satisfactory is our goals
Post Reply

Return to “News and Announcements”