Bay 12 Games Forum

Please login or register.

Login with username, password and session length
Advanced search  
Pages: 1 [2] 3 4

Author Topic: Heartbleed Exploit - Most servers patched, but assume ALL passwords compromised  (Read 3425 times)

Willfor

  • Bay Watcher
  • The great magmaman adventurer. I do it for hugs.
    • View Profile

In an alternate timeline, this is the post that Muz would have posted:

Ok fine. I caved. I hacked this guy's password three years ago because it was just "password". He PMed me the next day and told me that I earned this account because he didn't deserve it. You've been talking to a fake Muz all these years.
Logged
In the wells of livestock vans with shells and garden sands /
Iron mixed with oxygen as per the laws of chemistry and chance /
A shape was roughly human, it was only roughly human /
Apparition eyes / Apparition eyes / Knock, apparition, knock / Eyes, apparition eyes /

IcyTea31

  • Bay Watcher
  • Studying functions and fiction
    • View Profile

In all seriousness and honesty, it's a good idea to change your passwords every so often, even if there isn't a massive security breach.
Logged
There is a world yet only seen by physicists and magicians.

Vector

  • Bay Watcher
    • View Profile

Frankly, there's just too freaking many, though. . . I'm going to have to start keeping a piece of paper in my purse or something, because I definitely can't remember a different password for so many different places : /
Logged
"The question of the usefulness of poetry arises only in periods of its decline, while in periods of its flowering, no one doubts its total uselessness." - Boris Pasternak

nonbinary/genderfluid/genderqueer renegade mathematician and mafia subforum limpet. please avoid quoting me.

pronouns: prefer neutral ones, others are fine. height: 5'3".

MorleyDev

  • Bay Watcher
  • "It is not enough for it to just work."
    • View Profile
    • MorleyDev

There are secure password ring services like LastPass, and there's ways to build your own on a USB stick. Also LastPass has a security check that points out if you've been exposed to any known breaches, so you can change the password. And apparently the design of LastPass made it so no important information could be leaked by Heartbleed anyway. Also makes changing passwords easier when they're all in one place.
« Last Edit: April 10, 2014, 07:41:46 am by MorleyDev »
Logged

Frumple

  • Bay Watcher
  • The Prettiest Kyuuki
    • View Profile

... doesn't that, like, defeat the purpose of having a password? Since you're kinda' giving them to an unaffiliated third party? Or writing it down... on paper or digital doesn't really matter. Either way you're creating something physical you can misplace or have stolen that instantly cracks everything you've put down...
Logged
Ask not!
What your country can hump for you.
Ask!
What you can hump for your country.

MorleyDev

  • Bay Watcher
  • "It is not enough for it to just work."
    • View Profile
    • MorleyDev

LastPass is one of the better third parties, just by design. It's more like renting some encrypted data storage from them. They don't actually have the means to decrypt the data on their end (though cracking is always an option). It's the slightly less secure, more likely to get handed to the NSA option (though the NSA will still need to break the encryption on the data), but still a decent option and for the average joe it's probably enough.

For the more security/privacy minded, the USB stick is also an option. The idea with creating a USB key is that you encrypt it with a very secure password you can remember, and then that password is all you ever need to remember. It's like putting the combination to your safe inside another safe.

Not as secure as keeping 50 different 128-bit UUIDs in your head, true. But a lot easier.

http://keepass.info/ is a good place to start with the USB stick option.
« Last Edit: April 10, 2014, 07:51:53 am by MorleyDev »
Logged

Strife26

  • Bay Watcher
    • View Profile

I just put all my passwords through a cypher and keep them in plaintext in my notebook. Little bit of work if I need to get at one, but I doubt that anyone is going to go through my stuff, find my notebook, and go through the trouble of hand decoding stuff
Logged
Even the avatars expire eventually.

ArchAIngel

  • Bay Watcher
  • Infested Pony
    • View Profile

Or just make a fuckhuge password. Mine is exactly 69 characters. My keyboard does 94 different symbols, so 94 power 69 is probably a safely large amount of stuff to crack.

MorleyDev

  • Bay Watcher
  • "It is not enough for it to just work."
    • View Profile
    • MorleyDev

A big password still doesn't solve the problem of password re-use, and password re-use is a much bigger security vulnerability than password leaks. It's a big, wide open single point of failure where any single failure can compromise the entire system.

Services like LastPass or programs like KeePass remove password re-use, and also if a keylogger or something does find it's way onto your machine then it can't actually get at your other passwords, only your KeePass or LastPass password. For LastPass, still a problem. But for KeePass, not as much since they still need access to your KeePass data store. And if that's only stored on your PC or a USB stick (with regular, encrypted backups) then they still need physical access to your machine.

KeePass and LastPass still represent single points of failure, but it's a lot more difficult to get them to fail in comparison. It's not about having perfect security, that's impossible, it's about making as many hurdles as you can for them to jump through. I tend to keep the 'unimportant' things in LastPass, forum passwords and the like, and the 'important' things in KeePass and regularly backed up to encrypted storage. But that's probably a bit paranoid.
« Last Edit: April 10, 2014, 08:53:42 am by MorleyDev »
Logged

palsch

  • Bay Watcher
    • View Profile

Also worth noting that KeyPass has very basic two-factor authorisation built in. You can generate a key file that needs to be present (or rather, accessible by the vault program) to unlock the vault. So if you have the vault stored on a computer you can require a second file saved to a USB key to access it, limiting even physical access attacks where they know your password.

LastPass offers some two-factor techniques but they all involve third party tools.


I'd also note that KeyPass might be better for gamers who might not have a browser open when logging onto games, and so trend towards less secure or repeat passwords for MMOs and similar.
Logged

Levi

  • Bay Watcher
  • Is a fish.
    • View Profile

I've been (slowly) migrating to using KeyPass lately as well.  Seems to work pretty good, and you can sync it via FTP, which is convenient for me.
Logged
Avid Gamer | Goldfish Enthusiast | Canadian | Professional Layabout

Bauglir

  • Bay Watcher
  • Let us make Good
    • View Profile

Yeah, I guess this is as good a reason as any to start using KeePass's password generation feature instead of reusing the same passwords. Farewell, System Shock 2 references!
Logged
In the days when Sussman was a novice, Minsky once came to him as he sat hacking at the PDP-6.
“What are you doing?”, asked Minsky. “I am training a randomly wired neural net to play Tic-Tac-Toe” Sussman replied. “Why is the net wired randomly?”, asked Minsky. “I do not want it to have any preconceptions of how to play”, Sussman said.
Minsky then shut his eyes. “Why do you close your eyes?”, Sussman asked his teacher.
“So that the room will be empty.”
At that moment, Sussman was enlightened.

kaijyuu

  • Bay Watcher
  • Hrm...
    • View Profile

* kaijyuu still uses the same randomized password he got like, 13 years ago from an online game's default password generator.
Logged
Quote from: Chesterton
For, in order that men should resist injustice, something more is necessary than that they should think injustice unpleasant. They must think injustice absurd; above all, they must think it startling. They must retain the violence of a virgin astonishment. When the pessimist looks at any infamy, it is to him, after all, only a repetition of the infamy of existence. But the optimist sees injustice as something discordant and unexpected, and it stings him into action.

Culise

  • Bay Watcher
  • General Nuisance
    • View Profile

* kaijyuu still uses the same randomized password he got like, 13 years ago from an online game's default password generator.
Oh, thank heavens, I'm not the only one.  Though mine was another online forum. ^_^
Logged

MorleyDev

  • Bay Watcher
  • "It is not enough for it to just work."
    • View Profile
    • MorleyDev

You can sync it via FTP.
sync it via FTP
via FTP.
FTP.

I trust you mean SFTP? FTP is as insecure as a....really really insecure thing. You send all your credentials and the files completely naked and visible to anybody in-between you and the server.
« Last Edit: April 10, 2014, 01:12:13 pm by MorleyDev »
Logged
Pages: 1 [2] 3 4