Search My Network

Friday, April 18, 2014

Heartbleed Password Dilema: Password Pairs

This post was originally posted on my WordPress blog at:
http://domainating.wordpress.com/2014/04/17/the-heartbleed-password-dilema/

Because this bug is so bad, and the implications of its abuse so broad, so dangerous and so extremely important, I am cross-posting that blog article in many of my blogs.  Please do not hesitate to fix this issue for yourself, your family and loved ones.  Tell your friends about this problem, as well (or point them to this article).

For your convenience, that article is reprinted below:

OK, the fallout from the 'heartbleed' bug is worse than I thought.  The problem is with how we, as humans, don't manage a ton of passwords well.  It isn't so much that we are lazy, but to avoid clutter in our mind, we re-use passwords across the internet to log-in to different websites.

But with the heartbleed vulnerability, the problem becomes worse because of our conservation of brain cells and the repeated username and password combination becomes yet another vulnerability.

You see, most people don't come-up with a unique username and password for each site they have become a member of.  Most people reuse the same username over and over so that they can be identified as themselves by friends and acquaintances across networks.  Now, that would still be OK if the password used was unique for each and every website that user logged into using that username.  But because we are trying to make things simpler we usually only use a small index of passwords from which we draw our passwords, so that we don't have to remember so many, because we know what it feels like to be locked-out.

It all has to do with username and password pairs.

So if a user logs in as "Gibraltor5" with a password of "1Ydd/R247" on a forum website that is compromised, the problem then becomes that the username and password pair are entered into a database and some malicious hacker will eventually try to use that username & password pair at other places, such as Yahoo, Twitter, Gmail, Facebook, Chase, CapitalOne, Amex, etc...

So eventually, someone will make a program that will actually try to login to all sorts of websites using "Gibraltor5" as the username and "1Ydd/R247" as the password, possibly even on a global scale.  Once more, they may not stop at one attempt.  They might wait a year or so and try again, just to check if the user had protected his accounts, but then gone back to his lazy ways.

So from now on, you have to create a unique password for every single site that you have ever accessed.

Even though Google may say that your Gmail and Google+ accounts are safe, they aren't if you have ever used the same username and password combination ever before or afterwards on any site.  You can't be sure that any certain site was or wasn't compromised.   The username and password pair could have come from a site you don't even remember joining.  So if you have a tendency, like most humans, to use the same password over and over, you have to stop that right now, go back to all the sites that you have ever been a member of, and change your password to something unique.

Now, if you are like me, you have lots of places that you frequent.  That means you will require so many passwords you won't know how to keep them all straight without writing them down.  But if you write them on plain paper, or in a little black book of passwords like I used to do, you open yourself to having them ripped off and hacked that way, by your very own hand.

The best way to do it then, is use a password program that will keep all your passwords safe and handy.  Since I don't always have my PC with me, but I try to always have my phone on me, I have to recommend Kuff's Password Safe for the Android.  It allows you to generate unique jibberish style passwords on the fly, comes with 128 or 256 bit encryption to protect your entire catalog of passwords, categorize them, and more.  The one thing is that you must remember the password you will use to access the application, because there is no back door and without that one password, you will not be able to access the application again.  The good news is that you only have one password to remember, again.

Now, to top that off, you can also get another version for Windows, so that you can update and access your password data across platforms, as well as backup your data to remote servers such as Dropbox, SkyDrive & Google Drive, or to your local Windows machine.


The developer's website for Kuffs Password Safe (Android & Windows):
http://www.kuffs.co.uk/

If you do not have an Android based smartphone and/or tablet, or you do not expect to upgrade to an Android smartphone/tablet, or if you prefer a Macintosh supported version, you will have to shop around.  But this little utility, a password safe, to secure all of your username and password pairs and other private information, encrypt the data to protect it from malicious hacker idiots, is now an important and vital component in the life of anyone who has or had an online lifestyle (meaning anyone who ever has done anything online).   I even keep my server details and all sorts of vital info there, I trust it that much.

No comments:

Post a Comment