Make these ads go away.
+ Reply to Thread
Results 1 to 5 of 5

Thread: Regarding password security

  1. #1
    Administrator
    Join Date
    Dec 2010
    Posts
    955
    Local Date
    12-16-2019
    Local Time
    05:32 AM

    Regarding password security

    I note the article on today's BBC News website: Heartbleed Bug: Public urged to reset all passwords

    As might have been predicted, the deliberately alarmist title is so inaccurate as to be bogus claptrap. The security breach relates only to sites offering https, and ForumGarden along with most websites doesn't. No ForumGarden password is compromised as a result of this particular coding flaw.

    As for banking or email sites I suggest members check whether they have a problem by looking up specific https websites at https://www.ssllabs.com/ssltest/index.html

    |||||||||||
    Who has a spare two minutes a day to play in this month's FG Trivia game!

    Your satisfactory is our goals

  2. #2
    Premium Member Snowfire's Avatar
    Join Date
    Mar 2009
    Location
    Darn Sarf. Hingland
    Posts
    4,811
    Local Date
    12-16-2019
    Local Time
    06:32 AM

    Re: Regarding password security

    That would include Facebook and email (outlook)
    "He has all the virtues I dislike and none of the vices I admire."
    Winston Churchill

  3. #3
    Proudly humble LarsMac's Avatar
    Join Date
    Nov 2009
    Location
    usually on the road to somewhere.
    Posts
    10,856
    Local Date
    12-15-2019
    Local Time
    10:32 PM

    Re: Regarding password security

    So, the consensus seems to be that going back and changing your password, just now, would probably be a bad idea, because it would increase the chance that your information would be in the memory cash when someone drops in and gathers the data.
    Simplest thing to do is NOT sign in to those sites until they have applied the fix on the server. THEN go around and change passwords.

    Avoiding Heartbleed Hype, What To Do To Stay Safe - Forbes

    There are complex conditions as to whether your data may or may not have been retrieved, and you should assume details like passwords may have been stolen, but a blind reset of everything could actually make it more likely that you lose your details. You need to reset passwords once a provider has patched.
    "The trouble with people isn't that they don't know, but that they know so much that ain't so." - Will Rogers
    "Truth isn't Truth" - Rudy Giuliani

  4. #4
    Administrator
    Join Date
    Dec 2010
    Posts
    955
    Local Date
    12-16-2019
    Local Time
    05:32 AM

    Re: Regarding password security

    There may somewhere still be a https website which hasn't patched OpenSSL among the original 17% of those which were vulnerable, but I think you'd be hard pressed to find it. It's a pretty safe bet that resetting those passwords today would be a good idea. I had a happy hour yesterday changing those on my email and banking accounts.

    I'd guess that 99% of all stolen passwords are taken from client computers by malign software installed after their witless owners have either given permission or operated without adequate virus protection. The first line of defense for practically everyone on the planet ought to be a factory reset of their home computer. I'd not trust my smartphone with a financially-sensitive password either, because I have no idea at all how a smartphone can be expected to protect it.

    |||||||||||
    Who has a spare two minutes a day to play in this month's FG Trivia game!

    Your satisfactory is our goals

  5. #5
    Administrator
    Join Date
    Dec 2010
    Posts
    955
    Local Date
    12-16-2019
    Local Time
    05:32 AM

    Re: Regarding password security

    Register to remove this ad.
    I've just red James Lyne's earlier article on passwords at Yahoo Hacked And How To Protect Your Passwords - Forbes

    I take issue with some of the things he says. Under "Avoid using the same password across multiple sites [...] I know this presents a memory challenge", for example - no no no. There is no excuse ever for remembering a password. If a password can be remembered then it's a piss-poor password by definition. No password should ever have to be typed or people will skimp and make an easily-typeable password.

    Given which, I note that Paypal (among other sites) has a shockingly dreadful policy of not permitting new passwords to be pasted into their password change form. That means every Paypal password HAS to be typed (twice - once for confirmation) whenever it's changed. That's an atrocious policy which seems designed to get people to use weak passwords, Paypal should be ashamed of themselves.

    James Lyne mentions restricted password length in passing, but it's commonplace across the Internet and abysmal practice. There is no excuse whatever for restricting the customer's choice of password length, and (from recent experience) I've hit boundaries at 26, 24, 21, 18, 16 characters where the limit could all reasonably be, say, 250. The shortest maximum I've hit this year is a 6 character password limit on, of all places, the UK Government Gateway!. Why are these web implementors doing such incredibly stupid things? Very few sites actually allow me to use the default password length my own password generator is set to, 48 characters. I'm constantly having to trim passwords down to the point where a website will accept it.

    His point about lying to questions like "what school did you attend" is vital. Personally I just drag another entry out of my password generator to answer any such question because the answer needs to be no less secure than the password itself, since it can be used to unlock the account.

    And yes, of course everyone ought to be using a password manager of some sort. Remembering passwords is a shortcut to skimping, the end results will either be guessable if there's a pattern, or too short, or re-used on multiple sites.

    |||||||||||
    Who has a spare two minutes a day to play in this month's FG Trivia game!

    Your satisfactory is our goals

+ Reply to Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts