Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Chrysalis]

Then along come the smart arrses who implemented a rule it must be changed every xx days

Password policies are a difficult one and comes down to acceptance of risk, you have to find a balance. IF you make them to difficult people just write them down (as others have mentioned) and IMHO if that happens you might as well not have a password. But no matter how easy you make it for users to have very secure access people still don't follow process.

eg. We implemented a very complex password policy which would have made it impossible for the password to be guessed. It also made it un usable for us humans. So we issued smart cards to all the people that needed one and installed keyboards that required the user to put the card into. If the card was removed the user was logged out. All the user had to do was input a pin number of their choosing and follow company policy which stated when they were away from their desk they took the card with them. Failure to follow process was on pain of death and people still left the cards inserted  .

I wonder if these same people would leave their atm card in the atm 

very good point, this is why policies such as forcing password changes every 30 days, blocking browser's caching passwords is counter productive.  If you changing password every 30 days you be hard pressed to find something memorable every time, in addition every site on the internet wants you to register if you want to post, someone got a blog you want to comment on? register, comment on news article? register, before you know it you registered on 100 sites and if following reccomended pratice to never use same password twice then of course you have 100 or so passwords to remember, not going to happen.  So people put them in notepad, write it down whatever.  To me a solution is use something like keeppass to store them encrypted.

[geep]

To me a solution is use something like keeppass to store them encrypted.

I've been using PasswordSafe for some years now, which has the nice feature that it  runs on both Windows and Linux.
http://passwordsafe.sourceforge.net/

Cheers,
Peter

[roseway]

I use KeepassX (also Windows and Linux), which I believe started life as a Linux port of Password Safe.

[Chrysalis]

interesting roseway it does indeed look very similiar to the normal keepass.

[UncleUB]

I myself use Lastpass.

You can test your security there and see which if any sites needs your security updating


https://lastpass.com/

[Berrick]

7LM: Not sure of my facts, but I'm coming around to the idea that home users (SSL clients) are at risk too, as the client software apparently contains the bug as well as server-side

Just to confirm 7LM's suspicion. Information from AstLinux site

Keep in mind this "heartbleed" issue isn't limited to servers, it affects clients and desktop machines as well, perform your due diligence to eliminate any risk associated with this serious vulnerability

My concerns have turned to verifing which routers, modile phones and embedded devices (wireless printers etc etc) are effected. For example

• Smartphones and tablets running Android 4.1.1 Jelly Bean are effected
• Windows PCs, Macs, most Linux desktop and laptop machines are not effected

This site has some interesting info and advice which others my find useful http://www.tomsguide.com/us/heartbleed-bug-to-do-list,news-18588.html

[kitz]

I notice Talktalk is listed as vulnerable.   

BT not vulnerable. 
sky is saying no SSL but unsure about that.

https://github.com/musalbas/heartbleed-masstest/blob/master/top10000.txt

An up to date check shows TT have now patched their systems and are issuing this statement

http://help2.talktalk.co.uk/heartblead-bug-%E2%80%93-changing-passwords

[snadge]

Ive read Sky, Talk Talk and Virgin all say they are not vulnerable but I dont believe them because if they were they would not admit it in case it caused a drop in sales... Cisco and Juniper have come forward and said some of their equipment is affected

this is what I got from Netgear about my router....hmmm

The NETGEAR Routers will not be affected by the heartbleed bug since it only affects SSL protocol and our routers are using http.

there are a few testers for websites but they cant give clear answers... my own website hosts says they have patched it but how can I be sure?

[Chrysalis]

you can check their url's on one of the sites that are providing free tests.  Of course they may have already patched.

[snadge]

there are loads of testing websites all of which seem to give odd or differing answers, i got the all clear on my website:
http://filippo.io/Heartbleed/#defiant.servers.eqx.misp.co.uk

 - also as I say Talk Talk were one of the ISPs to say they were unaffected but now they are saying they were but have patched it and are asking all customers to change passwords....Iam with Sky...god knows where they stand in reality with it...regardless of them 'officially' "being unaffected"

also.. Netgears answer about my router seems to be a bit "fob off" too me>? or am i wrong?  Netgears routers arent affected because they use HTTPS...and not SSL... can this be true?

[sevenlayermuddle]

this is what I got from Netgear about my router....hmmm

The NETGEAR Routers will not be affected by the heartbleed bug since it only affects SSL protocol and our routers are using http.

Which router do you have?  The only entities to be affected would be SSL servers and SSL clients.   Your netgear router is probably neither of these.   Traffic passing through most home routers router, say from your PC to your bank, might or might not be affected, but the router would be irrelevant.

If you have a more advanced router that implements supposedly secure VPN access so that remote users can access your your home PCs, such a router might be an issue.

The parodoxical response or me, is google.   In all statements I have seen the seem to say that their servers were affected, but that users do not need to take action.   I can only assume they feel, as the bug was exposed by a google researcher, that they were able to block it before the news broke?

Biggest worry for me though will be the loads and loads of embedded devices.   Everything from your media DVD player to your electric toothbrush these days may be running Linux and, if it has any need for secure comms, using openssl.   How the heck are they ever going to sort it all out?

[kitz]

Netgears routers arent affected because they use HTTPS...and not SSL

If they dont use https then they 'shouldnt' be affected. 

The reason I went hmmm for Sky and said that I was unsure, is that they use https. Suppose it depends if their servers run on windows or linux. 
Windows servers are supposedly unaffected, which is why some banks systems have remained unaffected. 

[kitz]

 - also as I say Talk Talk were one of the ISPs to say they were unaffected but now they are saying they were but have patched it and are asking all customers to change passwords....Iam with Sky...god knows where they stand in reality with it...regardless of them 'officially' "being unaffected"

I think the bit in bold says it all really

Rest assured no customer data has been reported compromised and we’ve secured all our servers and websites

ie they dont know.

[sevenlayermuddle]

I'd been coming around to the idea that Open Source software needs to be better scrutinised, but interesting and opposing comments in The Guardian,

http://www.theguardian.com/commentisfree/2014/apr/10/stop-next-heartbleed-bug-open-source-support-open-ssl

in particular...

some future Edward Snowden will have to tell us whether the NSA found the Heartbleed flaw before researchers at Google

Now there's a cheery thought   

And of course, just like public/private key cryptography in the first place, it'll turn out that GCHQ has known about it longer than anybody.   

[snadge]

 - also as I say Talk Talk were one of the ISPs to say they were unaffected but now they are saying they were but have patched it and are asking all customers to change passwords....Iam with Sky...god knows where they stand in reality with it...regardless of them 'officially' "being unaffected"

I think the bit in bold says it all really

Rest assured no customer data has been reported compromised and we’ve secured all our servers and websites

ie they dont know.

I was angling at more them denying being affected...then later saying they were but then patched it...

my router does have remote management facilities...so am I right in saying it then has some form of SSL library?

I dont use it..but WAS thinking about it not long ago for accessing it from work for e.g.

edit: actually when I look at that page the URL is HTTPS so guess its fine

Now I just need to be sure Sky's servers arent affected.