Thursday, 10 April 2014

Heartbleed - time to visit the thorny topic of passwords again...



If you remember, we had a chat (well, I had a rant) about passwords when Kickstarter had their user DB hacked a while back. Go read it again: I'll wait.

Just in case you've not been following the news of late, here's a very good reason to change your passwords. Herewith the non-techie explanation:

security hole[1] in some versions of the software that handles secure web connections has just been announced. In a nutshell, it's a programming error that allows a lovingly hand-crafted web request to undetectably coax a server into returning some of the contents of its internal memory. That internal memory is likely to contain recent unencrypted traffic - i.e. anything that passes from a browser to the site or vice versa. Session cookies. Passwords.

The bug has been out in the wild since the 14th of March 2012.

Of course, this isn't to say that someone has exploited it. But we (wearing my IT security hat here) have no way of knowing at the server end if they have done[2]

Not all sites are vulnerable (sites running on Microsoft software, sites with an older version of the software, for example). Many of the key ones were forewarned a couple of days before the vulnerability was announced, and it is an easy fix - just upgrade the software.

But:

Now would be a good time to go change your passwords. Just in case. (And Mashable has a list of which sites you should do it on NOW and which you should wait... which I hope is being actively updated.)

And as an aside, I have to admit now is about the time I'm seriously considering moving to a password manager that will generate and remember high-complexity passwords for me.

[1] leads to more technical explanation.
[2] but we can tell if a site is vulnerable. This list is interested on that score. Also, the password app LastPass now tells you if the site you're about to change your password on has been fixed yet, and thus, whether it's worth bothering yet.

4 comments:

  1. OK - I know this is not an IT blog but a Wargaming Blog - but...

    In the "domestic" environment, how do you stay secure but still allow your loved ones to access you bank accounts, ISP account, TV package, emails and other resources (especially when although you are the Accountholder/Administrator they are a household resource) in the unfortunate event of your "unavailability"?

    Oh and one more question - do I need to change my Forum password?

    ReplyDelete
    Replies
    1. If they can't link multiple logins to a single account, they don't deserve your business. Sharing passwords is even worse than sharing computers.

      (This may be considered an extreme position.)

      Delete
  2. But if you change your password on a site that hadn't fixed the bug yet then you are still vulnerable...aren't you?

    ReplyDelete

Views and opinions expressed here are those of the commenter, not mine. I reserve the right to delete comments if I consider them unacceptable.

If you don't have a Google account, but do have a Yahoo! or LiveJournal account, read this post, which will explain how you can comment using that ID.

Comments on posts older than 7 days will go into a moderation queue.

Related Posts Plugin for WordPress, Blogger...