Heartbleed Bug shows why you should change passwords regularly

kwikbreaks

Yes - the effort is going to put most people off. Me included. Anyway "my account must have been hacked" is a good excuse the next time I make a stupid post...

dkmax_2

Uxb wrote: »

...and it also shows why open source software is not necessarily more secure than propriety stuff.

Anyone asserting that open source software is ipso facto more secure than proprietary software is an idiot. While wider access to source code does enable potentially greater scrutiny, it does not guarantee that greater scrutiny is actually being applied nor does it ensure that the requisite skill levels are brought to the code inspection and testing process.

I had thought that such claims had been put to bed many years ago.

SadGamerGeek

Having an interest in Internet security, there was a section of that news article that concerned me:

For users of the MSE forum, we strengthened the registration requirements and prompted several hundred of you with weak passwords to change it a few months ago.

If your password was deemed to be risky, you will have received a private message advising you to change it. If you didn't act after reading the message, then we suggest you change your password immediately.

Passwords should be stored in such a way (hashed) that it is impossible to tell anything about the entered password from the form it is stored. The fact that you can tell that a stored password is weak highlights they're not being stored properly. It's fine to have a check on the web page to warn that a newly entered password is weak, but it shouldn't be possible to do this afterwards. Once the passwords have been hashed & stored, there should be no way of telling the difference between "password" and "FS78£&-dD7g6F50@aJ£>g"

At worst, MSE is storing the passwords in plain text. At best, maybe just encrypted (very bad practice - passwords should be hashed) where they can decrypt them to check for strength.

You may think it's no big deal because this is just a chat forum, not something like a financial site. The unfortunate fact though is that many people share passwords between many sites. If a hacker gets a dump of usernames and passwords from MSE, one of the first things they'll do is to try the same logins in PayPal and anywhere else they can potentially steal something from.

Please look at your security MSE!

In the meantime, if any users use the same password in MSE and somewhere more sensitive/important, please change it!

kwikbreaks

SadGamerGeek wrote: »

The fact that you can tell that a stored password is weak highlights they're not being stored properly.

Not necessarily.

There are a number of websites that list insecure passwords such as 123456 password letmein etc.etc. All you need to do to check your users aren't using those is to compare the hashes of them with the users stored hashes.

matttye

jack_pott wrote: »

http://news.bbc.co.uk/1/hi/world/asia-pacific/4396831.stm

Not much different to people getting passwords out of you or stealing keys by brute force currently.

spud17 wrote: »

I worked on a construction site using finger print technology for site security.

A couple of finger prints from each hand were scanned, and saved.

The problem was, prints were scanned in a warm office, after a days work your finger prints couldn't be read due to hands being cold or wet or sweaty.

We tried wiping hands, washing hands in warm water, but nothing was ever reliable.

Also worked on a site where they used facial recognition cameras, in combination with a pin, totally unreliable.
Nothing like being locked in the site by the system when you need to get off site to use the toilet! :rotfl:

Sounds annoying, but has technology advanced since then?

TouchID on my iPhone 5s works about 95% of the time. If I haven't dried my hands properly after washing and there's visible water droplets then it won't work but apart from that there's no really any problems!

spud17

Sounds annoying, but has technology advanced since then?

TouchID on my iPhone 5s works about 95% of the time. If I haven't dried my hands properly after washing and there's visible water droplets then it won't work but apart from that there's no really any problems!

I'm talking less than 12 months ago.

If your hands were cold, the print reader would not work, holding them over a heater, didn't work, the heat has to come from within.
Think also wrinkled skin from spending too long in the bath.
If you have to continually pass through a security gate, with delays, then time wasted really mounts up with 50+ workers on site.

matttye

spud17 wrote: »

I'm talking less than 12 months ago.

If your hands were cold, the print reader would not work, holding them over a heater, didn't work, the heat has to come from within.
Think also wrinkled skin from spending too long in the bath.
If you have to continually pass through a security gate, with delays, then time wasted really mounts up with 50+ workers on site.

Again my iPhone 5s doesn't suffer from these problems, cold hands, fine, wrinkled fingers, also fine. Muddy fingers can be a problem (understandably).

Perhaps the tech used on yours just wasn't any good?

DigForVictory

Mythbusters tested a print lock on a door & cracked it easily using 3 different ways.

I'd hope iphone tech was a bit more advanced, but it isn't a fair comparison with a public door.

A colleague is posting about the hassle of the bit of paper with new passwords on Facebook. As her local techie, I'm appalled. Her mates are about as security aware as she is. Heartbleed is not the only risk...

securityguy

SadGamerGeek wrote: »

Having an interest in Internet security, there was a section of that news article that concerned me:



Passwords should be stored in such a way (hashed) that it is impossible to tell anything about the entered password from the form it is stored.

It's trivial to check a set of hashed passwords for weak ones. You take a large corpus of passwords, hash them (potentially many times, of course, if the set you're checking is properly salted) and look for the matches with the hashed set you're trying to crack. If you have a million users, each with a unique salt, and a corpus of a million weak passwords, you need to perform (worst case) 10^12 hashes in order to check for weaknesses. If you're really keen, you'd turn over to the task that ASIC rig your mad younger brother bought for mining Bitcoins and take, oh, 0.5s on your CoinTerra TerraMiner IV. $6000 seems pretty small change to be able to test a million users against a million candidate passwords in half a second. If the set you're matching against is using an iterated hash, then it'll take that many iterations longer: some derivation functions using up 1000 iterations, so it would take about 8 minutes. Maybe I'm waving my hands slightly over the difference between Bitcoin's use of SHA256 and your local password hashing function; maybe I'm off by a factor of a a hundred and it takes about 12 hours. Whatever. It's hardly difficult.

If the bad guys have a hash of your password, then brute-forcing it is currently possible at a rate of probably around 10^12 per second. Figuring out how long a truly random password is required to resist that attack ($6000 of hardware, so every self-respecting bad boy will have one) is left as an exercise for the reader.

Pincher

The banks branches could become important again as a haven of security. They can put in private networks inaccessible from the Internet. They could charge extra for extra security so important and big sum transactions are actioned by bank staff, who check your identity manually.

From your mobile app, or home PC, they can limit you to get view-only access. If you authorised it, payment to preset destinations only, below the maximum you agreed to.