Heartbleed Bug shows why you should change passwords regularly

Uxb

dkmax wrote: »

Anyone asserting that open source software is ipso facto more secure than proprietary software is an idiot. While wider access to source code does enable potentially greater scrutiny, it does not guarantee that greater scrutiny is actually being applied nor does it ensure that the requisite skill levels are brought to the code inspection and testing process.

I had thought that such claims had been put to bed many years ago.

Sadly not.
There is a thread running on the Kitz forum on this latest debacle where this is being claimed even today.
A few others have begged to differ saying much as you have done above but the Linux crowd who worship at the altar of open source promptly jump in and squash any such replies.

DJBenson

Yes. As soon as the discovery of the Heartbleed bug was made public on 8 April, we ran comprehensive tests on all our systems.

No user information from either the forum or our Energy Club was found to be vulnerable.

As viruses and new threats are always emerging, we continuously monitor our systems to ensure data is safe.

The scary thing about the Heartbleed vulnerability was the fact that a breach was entirely undetectable - so whilst sites could say for certain they weren't affected (those that don't use OpenSSL or use a later version that is known not to be vulnerable) those that did and were could not prove that data was or wasn't stolen - the hacker could quietly and covertly extract data from a server in 64k chunks until they had enough to make it worth their while.

Shocking to think this vulnerability was first noticed around 3 years ago and nothing was done about it!

RumRat

As most passwords are actually stolen from sites, and not your PC, it matters not how complicated the system for storing them.
As said, you might just as well write them in a book and keep it an office drawer as the chances of your house being burgled are less than your P/W being stolen.
The only ones I memorise (also written down somewhere) are my banking ones (including PayPal), all others are left to LastPass.

melbury

I don't ever let any sites remember me, so does this mean I am OK? (or just very naive?)

Is it only social media sites that are compromised?

DJBenson

melbury wrote: »

I don't ever let any sites remember me, so does this mean I am OK? (or just very naive?)

Sites don't "remember you" as such, your browser does. This problem is deeper than that, you could have been the most security conscious person and been caught out by this - by simply being logged in to one of the compromised sites, you username, password and anything else held in the server memory would have been visible to the hacker.

All you can do as an end-user is change your password - especially if you use the same combination across multiple sites...

frugal_mike

melbury wrote: »

Is it only social media sites that are compromised?

No, it's definitely not only social media sites. It was a serious problem in a piece of low level software called OpenSSL that is used for SSL and TLS connections on the internet (encrypted connections). Any website that used an affected version of OpenSSL will have had this problem, and there isn't anything any user of those sites could have done to prevent being vulnerable.

I'm sure there are lists of affected servers out on the Internet somewhere if you search for it so you'll see if there are any sites you use.

DJBenson

The following was posted on Mashable giving some of the more high-profile sites that were affected;

http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

[Deleted User]

It's not passwords you need to change regularly, it's using a different password on every site you use is what you need to do.

System

Deleted_User wrote: »

It's not passwords you need to change regularly, it's using a different password on every site you use is what you need to do.

Yep, this.

The title of this story is really misleading. With Heartbleed, changing your passwords often is the worst thing you can do, as an attacker will be more likely to capture your password during the change - and now they have both your old and new password, where they had nothing before.

Further, frequent password changes encourage people to pick weak and easily guessable passwords.

What you need is a different password for every site - and to change it when advised to by the site operator, after they've fixed their SSL.

anotheruser

tafelmoneysaver wrote: »

When testing a password I'd recommend not typing in your exact password - Perhaps a variation of it with the same mix of characters and numbers.

Not that the website can track what sites that password is for.... as well as all the other millions of passwords being typed in at the same time. Nor can it remember what was typed.

The problem is, if you add in numbers or characters then it changes the whole meaning of the process as your password would be more secure.
Therefore someone with a weak password may assume it is more secure than it really is.
If you don't trust the site, don't use it is the best philosophy


Although I am pretty relaxed when it comes to security.
My passwords are stored in a simple notepad file, named something completely unusual. The contents contain no real identifiable way to link the websites to the passwords.
If you're going to "hack" usernames/passwords, you would target the programs that store those usernames/passwords.

While some people are just plain naive, others make far too much effort in storing usernames and passwords for stuff that just isn't important... like forums for example.
Sites that require stronger passwords, like banks, will force you to have strong passwords.