Heartbleed Bug shows why you should change passwords regularly 11 April 2014 at 3:34PM in Techie Stuff 42 replies 5.4K views

Former_MSE_Michael

"MoneySavingExpert.com wants to assure users that we've carried out a check of our systems following the Heartbleed Bug..."

Read the full story:

Heartbleed Bug shows why you should change passwords regularly



Click reply below to discuss. If you haven’t already, join the forum to reply. If you aren’t sure how it all works, read our New to Forum? Intro Guide.

mh1923

"Use a mixture of words, numbers and characters. Passwords can still be memorable even when you jumble up numbers and letters, for example: M0n3y5av7ng3xp3rt.c0m!"

This may have been sufficient security ten years ago, but not anymore. I don't think it's possible to be secure without a different completely random password for each website you use. And for that to work, you either need a notebook to physically write down each password, or a system such as Lastpass that remembers it for you.

Uxb

...and it also shows why open source software is not necessarily more secure than propriety stuff.
http://www.smh.com.au/it-pro/security-it/man-who-introduced-serious-heartbleed-security-flaw-denies-he-inserted-it-deliberately-20140410-zqta1.html

anotheruser

I use the same password for many things.

If someone manages to find another forum/website I visit, guess or crack my password and then lock me out of the account, I'll just open a new one. I use different usernames and all the forums I visit don't have any importance on my life, so I don't worry if I am suddenly locked out.

Banks have secure systems (secure enough for me anyway).

Amazon won't allow you to post to another address than one that is already stored with out entering payment details again, so that's fine too.

PayPal and Ebay both have secure-ish passwords and I'm not really worried about those either.

Most other sites, I either don't create an account or if I do, they will usuaully ask for the CV3 code anyway. Even if they don't, Mastercard/Visa have their password verification anyway.

The password I use most frequently, apparently would be cracked instantly and is "IN THE TOP 3600 MOST USED PASSWORDS"

However my most secure password would take "26 million years" to crack. A variation of it would take 37 but I doubt the computer program would try for even 36 years so I'd consider that safe.
PayPal password would take 19 years, that's still a very long time.

https://howsecureismypassword.net/

tafelmoneysaver

anotheruser wrote: »

https://howsecureismypassword.net/

When testing a password I'd recommend not typing in your exact password - Perhaps a variation of it with the same mix of characters and numbers.

So if really must enter your password into a completely random website and your password is "password" at least type something like "drowssap" into the test box.

Sooler

anotheruser wrote: »

However my most secure password would take "26 million years" to crack. A variation of it would take 37 but I doubt the computer program would try for even 36 years so I'd consider that safe.
PayPal password would take 19 years, that's still a very long time.

They could of course be possibly guessed correctly on the first attempt!

abibee

Lastpass is the best policy in my opinion, for most sites. But for my banking and main e-mail I don't even trust Lastpass company (though I'm sure they're trustworthy), and have strong ones committed to memory.

bobblebob

2 step verification seems the most secure way. Even if someone knows your username and password, they still cant get access without your phone

Jivesinger

bobblebob wrote: »

2 step verification seems the most secure way. Even if someone knows your username and password, they still cant get access without your phone

... and even if they used something like Heartbleed to read the code you entered with 2-step verification as well as your password, that code only works for a very short period of time. So 2-step verification does seem to be a good thing.

The idea of a password that you remember is pretty much doomed.

There are too many websites, and too many hackers cracking them (which means you need a different password for every website so once one is hacked, you haven't lost them all).

The password-cracking power of computers is increasing while the password-remembering power of the human brain is sadly pretty fixed.

It won't be many years before we're all carrying around something like a 2-step verification gizmo for everything, and probably not many more years before they just get implanted in our bodies!

bobblebob

It won't be many years before we're all carrying around something like a 2-step verification gizmo for everything, and probably not many more years before they just get implanted in our bodies!

We do already, its a mobile phone

neilwoods

Jivesinger wrote: »

It won't be many years before we're all carrying around something like a 2-step verification gizmo for everything, and probably not many more years before they just get implanted in our bodies!

As already mentioned, mobile phone. Plus HSBC use a 2 step, with a small device that looks like a small calculator. Maybe other banks use them as well