Change Your Websites Passwords — be glad you still can


change your password - Heartbleed Bug

change your password – Heartbleed Bug

How To Protect Yourself From The Massive Security Flaw That’s Taken Over The Internet

 

On April 07, 2014 a severe vulnerability in OpenSSL was announced.
If you are receiving this announcement, then you have at least one server with  that may be vulnerable to a serious security flaw.
Known formally as TLS heartbeat read overrun (CVE-2014-0160), and dubbed the “Heartbleed Bug”, this flaw allows for the theft of information normally protected by SSL/TLS encryption. Specifically, the Heartbleed Bug allows memory to be read on systems using OpenSSL 1.0.1 before 1.0.1g, which can compromise private/secret keys used to encrypt data and application traffic. At the very least, this would allow attackers to impersonate users and services, and provide a means for data theft. Unless automatic updating has been disabled, a patch has been downloaded for your system and a system reboot is required to complete the process. We encourage you to reboot your server as soon as possible to ensure your system is secure.

Beginning April 10, 2014 we will be updating and rebooting servers which are found to still be vulnerable to the Heartbleed Bug. Due to the nature of this vulnerability, and the volume of servers eligible for the update, we cannot accommodate requests for a specific reboot time. You may opt out of a server reboot, should you plan to apply the update yourself, by simply opening a ticket at your server provider. If you opt out, Liquid Web will assume that you’ve appropriately patched your servers. For further information on the OpenSSL Heartbleed Bug

In case the Heartbleed bug’s name hasn’t already convinced you of the seriousness of this security vulnerability, allow me to make this clear: you should change the password you use for every website you’ve visited in the last two years.

That message has been repeated ad nauseum since the vulnerability was first revealed earlier this week..

change your password - Heartbleed BugTumblr has asked its users to change their passwords. Mozilla has advised FireFox users who rely on the same password for multiple sites to do the same. So have the New York Times, the Wire, and countless other news sites. Again, in case the bleeding heart metaphor wasn’t enough to convince you that this is a real problem: change all of your passwords. Now.

That’s easier said than done, of course. While there are various tools that can generate strong passwords and keep them in sync across multiple platforms, there isn’t an “Oh shit!” button that can automatically reset all of those passwords when something like this happens. It’s up to you to remember all of the websites you’ve visited, the passwords you used for those sites, and to create new passwords that anyone knowing your old ones won’t be able to guess. That’s not necessarily a bad thing: having to manually change the passwords could help protect against any potential flaws hiding in the generators used by tools like 1Password or LastPass. (Note: I’m not saying the tools have flaws, I’m just saying they hypothetically could, company representatives.)

 

What is the Heartbleed bug?

Heartbleed is a flaw in OpenSSL, the open-source encryption standard used by the majority of websites that need to transmit the data that users want to keep secure. It basically gives you a secure line when you’re sending an email or chatting on IM.

Encryption works by making it so that data being sent looks like nonsense to anyone but the intended recipient.

Occasionally, one computer might want to check that there’s still a computer at the end of its secure connection, and it will send out what’s known as a heartbeat, a small packet of data that asks for a response.

Because of a programming error in the implementation of OpenSSL, the researchers found that it was possible to send a well-disguised packet of data that looked like one of these heartbeats to trick the computer at the other end into sending data stored in its memory.

The flaw was first reported to the team behind OpenSSL by Google security researcher Neel Mehta, and independently found by security firm Codenomicon. According to the researchers who discovered the flaw, the code has been in OpenSSL for about two years, and using it doesn’t leave a trace.

Change your password - Heartbleed BugHow bad is that?

It’s really bad. Web servers can keep a lot of information in their active memory, including usernames, passwords, and even the content that users have uploaded to a service. According to Vox.com’s Timothy Lee, even credit-card numbers could be pulled out of the data sitting in memory on the servers that power some services.

But worse than that, the flaw has made it possible for hackers to steal encryption keys — the codes used to turn gibberish-encrypted data into readable information.

With encryption keys, hackers can intercept encrypted data moving to and from a site’s servers and read it without establishing a secure connection. This means that unless the companies running vulnerable servers change their keys, even future traffic will be susceptible.

Am I affected?

Probably, though again, this isn’t simply an issue on your personal computer or your phone — it’s in the software that powers the services you use. Security firm Codenomicon reports:

You are likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company’s site, commercial site, hobby site, sites you install software from or even sites run by your government might be using vulnerable OpenSSL.

According to a recent Netcraft web server survey that looked at nearly 959,000,000 websites, 66% of sites are powered by technology built around SSL, and that doesn’t include email services, chat services, and a wide variety of apps available on every platform.

Read more: http://www.businessinsider.com/heartbleed-bug-explainer-2014-4#ixzz2yPGdgb5W

The good news is that passwords for services like Facebook and Gmail can be changed. It would be much harder to protect against compromised biometric security measures — what are you gonna do, burn your finger tips and tattoo some new patterns onto them?

 

Advertisements

Guide to Protecting Online Identity. How to Create Strong Passwords?


Ultimate Guide for Creating Strong Passwords

Tips to Protect Online Identity by using Strong password.

Big company spent millions of dollars to keep customer date secure
At a same time we as customers or/and users sometimes ignore warnings and suggestions just to make passwords easy to remember.

What makes a password strong (or weak)?

Tips to Protect Online Identity by using Strong password

We sometimes keep same password all over the social media, or online banking accounts for the same reason.  Then some of us wander how it possible that someone break and still personal data that quick and from so many accounts.

The goal is to get users to choose better passwords. The problem is that as creative as humans are, we are way too predictable.  Try to make a list of totally random words, inevitably some sort of pattern will emerge in your list.  That is the easiest and exactly what hackers use sometimes to break the password in the first place. Selecting good passwords requires education.

Passwords provide the first line of defense against unauthorized access to your computer. The stronger your password, the more protected your computer will be from hackers and malicious software.

What is the password?

A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource (example: an access code is a type of password).

Despite the name, there is no need for passwords to be actual words; indeed passwords which are not actual words may be harder to guess, a desirable property. Some passwords are formed from multiple words and may more accurately be called a passphrase. The term passcode is sometimes used when the secret information is purely numeric, such as the personal identification number (PIN) commonly used for ATM access. Passwords are generally short enough to be easily memorized and typed. (Source: http://en.wikipedia.org/wiki/Password)

Let’s see what some of the biggest company in the market recommend protecting your personal data.

Protecting Online Identity. How to Create Strong Passwords?

Protecting Online Identity. How to Create Strong Passwords?

How to create strong passwords?

A strong password is an important protection to help you have safer online transactions.

Ways to create a long, complex password:

  • Length. Make your passwords long with eight or more characters.
  • Complexity. Include letters, punctuation, symbols, and numbers. Use the entire keyboard, not just the letters and characters you use or see most often. The greater the variety of characters in your password, the better. However, password hacking software automatically checks for common letter-to-symbol conversions, such as changing “and” to “&” or “to” to “2.”
  • Variation. To keep strong passwords effective, change them often. Set an automatic reminder for yourself to change your passwords on your email, banking, and credit card websites about every three months.
  • Variety. Don’t use the same password for everything. Cybercriminals steal passwords on websites that have very little security, and then they use that same password and user name in more secure environments, such as banking websites.

Some or all above might help protect your online transactions.

Suggestions that might help you remember it easily:

What to do Example
Start with a sentence or two. Complex passwords are safer.
Remove the spaces between the words in the sentence. Complexpasswordsaresafer.
Turn words into shorthand or intentionally misspell a word. ComplekspasswordsRsafer.
Add length with numbers. Put numbers that are meaningful to you after the sentence. ComplekspasswordsRsafer2011.

Avoid common password pitfalls

Cyber criminals use sophisticated tools that can rapidly decipher passwords.

Avoid creating passwords that use:

  • Dictionary words in any language.
  • Words spelled backwards, common misspellings, and abbreviations.
  • Sequences or repeated characters. Examples: 12345678, 222222, abcdefg, or adjacent letters on your keyboard (qwerty).
  • Personal information. Your name, birthday, driver’s license, passport number, or similar information.

Tips for creating a strong password from Microsoft.
(http://windows.microsoft.com/en-US/windows-vista/Tips-for-creating-a-strong-password)

You should make sure you have strong passwords for all accounts on your computer. If you’re using a corporate network, your network administrator might require you to use a strong password.

What makes a password strong (or weak)?

A strong password:

  • Is at least eight characters long.
  • Does not contain your user name, real name, or company name.
  • Does not contain a complete word.
  • Is significantly different from previous passwords.
  • Contains characters from each of the following four categories:

Character category

Examples

Uppercase letters A, B, C
Lowercase letters a, b, c
Numbers 0, 1, 2, 3, 4, 5, 6, 7, 8, 9
Symbols found on the keyboard (all keyboard characters not defined as letters or numerals) and spaces ` ~ ! @ # $ % ^ & * ( ) _ – + = { } [ ] \ | : ; ” ‘ < > , . ? /

A password might meet all the criteria above and still be a weak password.

How to choose a strong password – simple tips for better security

Password best practices, created by NASA:

It should contain at least eight characters

It should contain a mix of four different types of characters – upper case letters, lower case letters, numbers, and special characters such as !@#$%^&*,;” If there is only one letter or special character, it should not be either the first or last character in the password.

It should not be a name, a slang word, or any word in the dictionary. It should not include any part of your name or your e-mail address.

Following that advice, of course, means you’ll create a password that will be impossible, unless you try a trick credited to security guru Bruce Schneir: Turn a sentence into a password.

For example, “Now I lay me down to sleep” might become nilmDOWN2s, a 10-character password that won’t be found in any dictionary.

Can’t remember that password?

Schneir says it’s OK to write it down and put it in your wallet, or better yet keep a hint in your wallet.

Just don’t also include a list of the sites and services that password works with.

Try to use a different password on every service, but if you can’t do that, at least develop a set of passwords that you use at different sites.

Password tips from Google.

(https://accounts.google.com/PasswordHelp)

Tips for creating a secure password:

  • Include punctuation marks and/or numbers.
  • Mix capital and lowercase letters.
  • Include similar looking substitutions, such as the number zero for the letter ‘O’ or ‘$’ for the letter ‘S’.
  • Create a unique acronym.
  • Include phonetic replacements, such as ‘Luv 2 Laf’ for ‘Love to Laugh’.

Things to avoid:

  • Don’t reuse passwords for multiple important accounts, such as Gmail and online banking.
  • Don’t use a password that is listed as an example of how to pick a good password.
  • Don’t use a password that contains personal information (name, birth date, etc.)
  • Don’t use words or acronyms that can be found in a dictionary.
  • Don’t use keyboard patterns (asdf) or sequential numbers (1234).
  • Don’t make your password all numbers, uppercase letters or lowercase letters.
  • Don’t use repeating characters (aa11).

Tips for keeping your password secure:

  • Never tell your password to anyone (this includes significant others, roommates, parrots, etc.).
  • Never write your password down.
  • Never send your password by email.
  • Periodically test your current password and change it to a new one.

As you see some of the rules and tips repeat and this make sense.  If it harder to guess it harder to break it.

Complex passwords combining letters and numbers, such as passw0rd (with the “o” replaced by a zero), abc123 or/and Hello2U! meets complexity rule but very easy to guess and therefore unsecure.  H3ll0 2 U! is a stronger alternative because it replaces some of the letters in the complete word with numbers and also includes spaces.

Professional-Networking Sites, Social-Media Sites and Social-Bookmarking Sites

Professional Networking Sites, Social Media Sites and Social Bookmarking Sites


“Worst Passwords” of 2011 Revealed 30 Most popular week passwords:

1. password

2. 123456

3.12345678

4. qwerty

5. abc123

6. monkey

7. 1234567

8. letmein

9. trustno1

10. dragon

11. baseball

12. 111111

13. iloveyou

14. master

15. sunshine

16. ashley

17. bailey

18. passw0rd

19. shadow

20. 123123

21. 654321

22. superman

23. qazwsx

24. michael

25. football

26. iloveyou

27. princess

28. rockyou

29. abc123

30. and of course all time favorite bad word and its variations ex: f***you (sorry but it is very common and not secure)

References and Related reading:

How do I recover my Joomla admin password? Reset Joomla Administrator Password

Suggested by Microsoft:  6 rules for safer financial transactions online.

How to test password?  Test the strength of your passwords

Password Analysis Military Password Analysis

American Express:  Strong Credit, Weak Passwords

How to protect your Identities: Top 5 Ways People Get Their Identities Stolen

What does password mean? http://en.wikipedia.org/wiki/Password)

Ten Windows Password Myths