OpenSSL bug found. Change your passwords

Link found here. Apparently it could affect up to 2/3 websites, especially big name ones.

@Tecton will this have any kind of effect on Achaea?

Comments

  • For those wondering how it works, Here#s a very good explanation: http://xkcd.com/1354/
  • edited April 2014
    Someone bothering to steal Achaea passwords would be such a super nerd.

    I might worship such a person.
    it happened once before. Praise @daes.

    Janeway: Tuvok! *clapclap* Release my hounds!
    Krenim: Hounds? How cliche.
    Janeway: Tuvok! *clapclap* Release my rape gorilla!
    Krenim: ...We'll show ourselves out.
  • Daes ex machina.
  • Password managers: Which one do you guys use/recommend, and why?
  • NimNim
    edited April 2014
    Iocun said:
    Someone bothering to steal Achaea passwords would be such a super nerd.

    I might worship such a person.

    To be fair, Achaea connections are all plaintext, so it'd be easy to hack someone's character if you were lucky enough to be able to intercept someone's connection. >_>

  • Nim said:
    Iocun said:
    Someone bothering to steal Achaea passwords would be such a super nerd.

    I might worship such a person.

    To be fair, Achaea connections are all plaintext, so it'd be easy to hack someone's character if you were lucky enough to be able to intercept someone's connection. >_>

    Nerd!
  • Nim said:


    Iocun said:

    Someone bothering to steal Achaea passwords would be such a super nerd.

    I might worship such a person.

    To be fair, Achaea connections are all plaintext, so it'd be easy to hack someone's character if you were lucky enough to be able to intercept someone's connection. >_>

    You're on my list of suspicious people now, @Nim. *peers*
    image
  • I just got sec+ and blah blah. I learned a lot and of course, Achaea was my first target.

    Achaea passed all my breach attempts. you don't have anything to worry about.

    Also, if you have to change your password, you are doing it wrong.

    To be honest, most people have one password with number variations  ( password, password1,  Password1, Password12, P@assword1)

    Blah blah, easy to guess. I'll give you the more plausible solution, rather than saying you should make all your passwords unrecognizable.
    make 3 passwords that you can remember poperly. Make 1 for games (eve, LoL, Achaea), 1 for money (banking, 401k, paypal.) 1 for personal. (amazon, email)

    on paper, this is a pretty bad strategy, but IRL. people are lazy and stupid, so this is the best I got.
    Replies the scorpion: "It's my nature..."
  • Yep, supposed to ask first
  • Also, that password strategy is terrible and asking for trouble.

    (Party): Mezghar says, "Stop."
  • Kyriella said:

    Password managers: Which one do you guys use/recommend, and why?

    Firefox has a decent plugin for password management which you can sync with an Android device. LastPass is also a decent one albiet with a small cost.

    (Party): Mezghar says, "Stop."
  • TharvisTharvis The Land of Beer and Chocolate!
    just don't use Chrome for passwords either. Not if you think other people have access to your browser, seems to be saved with little to no protection and easily reached for a person who knows what they're doing.
    Aurora says, "Tharvis, why are you always breaking things?!"
    Artemis says, "You are so high maintenance, Tharvis, gosh."
    Tecton says, "It's still your fault, Tharvis."

  • NizarisNizaris The Holy City of Mhaldor
    I personally use the following password strategy.

    1. Pick a word. (Samwise)
    2. Garble the word in a way that makes sense ($a^^W!$3). Use conventions here: S's are always $. W's are always capital. Etc.
    3. For each account that you have, tack on a suffix.
       * Facebook: _fbook
       * Gmail: _gmail
       * Chase Bank: _chase
    4. Optionally, tack on a number suffix that indicates the month of the year (requires frequent password changes. This is ideal, but a PITA):
       * January: _1
       * December: _12

    Resultant passwords:
    $a^^W!$3_fbook_2
    $a^^W!$3_gmail_5
    $a^^W!$3_chase_7
    etc

    Due to the way that passwords are stored on a server (in a hash), these passwords look more different than they are similar. This makes it harder to extrapolate the pattern from only the hashes.
    Example, here are the md5sum hashes for the above passwords:

    $a^^W!$3_fbook_2: 4a553d5f8bf404f9c0983e8e51b472bb
    $a^^W!$3_gmail_5: 61d2e42d0888f7591574969c42595478
    $a^^W!$3_chase_7: 18509e0d64dd6d61b5589ee5a40720af

    Indeed, changing even one character in a password changes at least 50% of the resultant hash:

    $a^^W!$3_chase_7: 18509e0d64dd6d61b5589ee5a40720af
    $a^^W!$3_chase_8: 4b5204d7e43fe16350df27adb463acdd

    The result is different passwords for everything that follow a pattern that enables them ALL to be remembered using the system.
    image
  • Sobriquet said:
    Also, that password strategy is terrible and asking for trouble.
    Agreed. However, most people have more simplified passwords, aka 1 password for everything. What I offer is a bad solution, but still a solution.

    As for attempting to breach Achaea, no didn't ask permission, but it's all completely patched and would have been reported because I love this game that damn much.

    Afaik, no "technical" law says attempted breaches are illegal.
    Replies the scorpion: "It's my nature..."
  • KresslackKresslack Florida, United States
    It doesn't do any good to change passwords for sites which haven't updated their certs. I would recommend using Last Pass, which will advise you if a site you frequent has updated so you can change your password for it. If it hasn't, might as well just wait.


  • Nizaris said:
    I personally use the following password strategy.

    1. Pick a word. (Samwise)
    2. Garble the word in a way that makes sense ($a^^W!$3). Use conventions here: S's are always $. W's are always capital. Etc.
    3. For each account that you have, tack on a suffix.
       * Facebook: _fbook
       * Gmail: _gmail
       * Chase Bank: _chase
    4. Optionally, tack on a number suffix that indicates the month of the year (requires frequent password changes. This is ideal, but a PITA):
       * January: _1
       * December: _12

    Resultant passwords:
    $a^^W!$3_fbook_2
    $a^^W!$3_gmail_5
    $a^^W!$3_chase_7
    etc

    Due to the way that passwords are stored on a server (in a hash), these passwords look more different than they are similar. This makes it harder to extrapolate the pattern from only the hashes.
    Example, here are the md5sum hashes for the above passwords:

    $a^^W!$3_fbook_2: 4a553d5f8bf404f9c0983e8e51b472bb
    $a^^W!$3_gmail_5: 61d2e42d0888f7591574969c42595478
    $a^^W!$3_chase_7: 18509e0d64dd6d61b5589ee5a40720af

    Indeed, changing even one character in a password changes at least 50% of the resultant hash:

    $a^^W!$3_chase_7: 18509e0d64dd6d61b5589ee5a40720af
    $a^^W!$3_chase_8: 4b5204d7e43fe16350df27adb463acdd

    The result is different passwords for everything that follow a pattern that enables them ALL to be remembered using the system.
    Isn't there something that says instead of trying to come up with a complicated set of replacement letters/numbers/capitols for a single password word, that it's more secure and easier for the person to remember to make a sentence as their password?
    Janeway: Tuvok! *clapclap* Release my hounds!
    Krenim: Hounds? How cliche.
    Janeway: Tuvok! *clapclap* Release my rape gorilla!
    Krenim: ...We'll show ourselves out.
  • edited April 2014
    Berenene said:
    Isn't there something that says instead of trying to come up with a complicated set of replacement letters/numbers/capitols for a single password word, that it's more secure and easier for the person to remember to make a sentence as their password?
    http://xkcd.com/936/

    That doesn't help with remembering a hundred different passwords though.
  • KresslackKresslack Florida, United States
    I'll just leave This here.


  • NizarisNizaris The Holy City of Mhaldor
    Sena said:
    Berenene said:
    Isn't there something that says instead of trying to come up with a complicated set of replacement letters/numbers/capitols for a single password word, that it's more secure and easier for the person to remember to make a sentence as their password?
    http://xkcd.com/936/

    That doesn't help with remembering a hundred different passwords though.
    Also, those passwords that I provided each had >72 bits of entropy, compared to the comic's 44 bits (44 bits gets you 550 years. Mine gave you 1.49 x 10^11 years). The increased entropy vs. the comic's weak password was due to adding on the suffices to handle accounts and remembering them.
    image
  • StrataStrata United States of Derp
    Ok so... just my two cents (it's really all I have up there... maybe)
    For most things that aren't important (as in, there isn't much personally identifiable info associated with the account), I use simple passwords that could easily be cracked. The consequences of exposure are not enough for me to care.
    For important stuff, I use gorilla because I've been using it for years and I'm kind of dinosaur'd with it and am too lazy to try anything else out there that's probably way better by now.
    For new accounts, always randomly generate a passphrase - and then use one of the many javascript-based strength checkers (google for them) - before saving to your password manager of choice.
  • I don't trust strength checkers. A lot of them seem based on giving a lot of points just for having a number/symbol/capital letter/etc. without considering length at all. And then it's likely beyond the scope of a javascript strength checker to consider things like dictionary-based attacks.
  • StrataStrata United States of Derp
    Nim said:
    I don't trust strength checkers. A lot of them seem based on giving a lot of points just for having a number/symbol/capital letter/etc. without considering length at all. And then it's likely beyond the scope of a javascript strength checker to consider things like dictionary-based attacks.
    This one is pretty good: http://passwordmeter.com
  • Strata said:
    Nim said:
    I don't trust strength checkers. A lot of them seem based on giving a lot of points just for having a number/symbol/capital letter/etc. without considering length at all. And then it's likely beyond the scope of a javascript strength checker to consider things like dictionary-based attacks.
    This one is pretty good: http://passwordmeter.com
    That one gets bonus points for explaining its math, and for giving my entire post a 100% even after I'd set everything to lower case and stripped it of non-letter characters due to the sheer length factor involved.
Sign In or Register to comment.