|
|
Post by elljay on Apr 15, 2014 17:00:50 GMT
I think there's a positive on the user side too - if there's anyone out there who uses the same username and password for multiple sites, hopefully they've been scared enough to change to using different passwords (after each site has been patched of course!) !
|
|
james
Posts: 2,205
Likes: 955
|
Post by james on Apr 15, 2014 17:54:49 GMT
Hopefully so but there's an easy alternative: add the first letter of the name of the site to the start, end or middle of the otherwise shared password. Bonus for using both first and last letters of the site name to further reduce the risk. That sort of thing is easy to remember and automatically prevents a stolen password from working at other places that don't share the same letter(s).
|
|
JamesFrance
Member of DD Central
Port Grimaud 1974
Posts: 1,323 
Likes: 897
|
Post by JamesFrance on Apr 15, 2014 18:12:29 GMT
If you use a good password manager like Lastpass, you can easily have a unique and complex password for every site.
Much easier when you don't need to remember them all or store them insecurely using your browser. I have about 150.
|
|
james
Posts: 2,205
Likes: 955
|
Post by james on Apr 26, 2014 9:05:49 GMT
It's now more than two weeks since my initial tests. Here's what has changed since then: smartika.it: new A- grade instead of F and newly not vulnerable to Heartbleed unlike before. However it's still using an old certificate so users remain vulnerable to some issues if the certificate was stolen while it was vulnerable, though to far less a degree than before, mainly attacks where another server could pretend to be smartika.it to get login details then use those for abuse on the real server. So still some work to do to protect people fully but good progress. smava.de: new A instead of A- grade. zopa.com: now using a new certificate instead of an old one. No reason to believe they were ever vulnerable to Heartbleed, though. And of course app.thincats.com wasn't vulnerable to BEAST or Heartbleed, though no improvements to the test results since the earlier tests. |
|
james
Posts: 2,205
Likes: 955
|
Post by james on Jun 24, 2014 19:49:05 GMT
You might want to check that your favourite sites have upgraded to at least OpenSSL version 1.0.1h . This contains fixes for six more vulnerabilities, specifically: CVE-2014-0198CVE-2014-0221CVE-2014-0195 arbitrary code execution, serious CVE-2014-0198CVE-2010-5298CVE-2014-3470You can expect a large wave of updates in relation to these vulnerabilities and it seems likely that there will be another batch coming as people study OpenSSL hard looking for more vulnerabilities of similar types to those found so far. Arbitrary code execution means that an attacker can hand the server a program-equivalent and tell it to run it to do whatever the attacker wants, like taking over the whole server or handing over any information it can get to. Not as easy to exploit as Heartbleed yet but that will change as attack kits are updated to use this vulnerability. |
|
