HeartBleep and Passwords

[ZLoth]

I have spent the past week changing all of my website passwords thanks to the HeartBleep vulnerability. OK, OK, I know it is called HeartBleed, but if you had to change all of the passwords, you can understand what kind of a bleep it is. The last time I changed all of my passwords was in 2010 from about six unique passwords to a unique password for each website. To manage my passwords, I use KeePass as my master password manager, and a small subset of those passwords are kept in LastPass. The password file is backed up from my USB drive to a hard drive using FreeFileSync and is regularly backed up to my Dropbox account. When two-factor authentication became available, I activated it on all of my accounts.

Now, I'm no security expert, but I have done some programming. One of the things that I learned is that you use a one-way encryption algorithm to encrypt a password as a hash. As an example, take the password TrustNo1! . That password passes all the short password requirements, and turns in the following hash:

CRC32: 415bbeab
MD5: 012f6e0c2e86fdba9035307528a36557
SHA1: d32662aaa15f94cdbfdeec83b49c4d6cd73d6c04
SHA256: 81ccbefbd0adad93d912fcb02faa23fbd6f3556d7176027f48982359d44eef74

Now, I hope noone uses TrustNo1! as it is considered one of the thirty most common password according to How Secure Is My Password?. Also, if you are a good programmer, you would "salt" the password with additional and unique text, plus encrypt the password prior to storing it in your database. So, a password that I would actually use, like T[5X];H8%.`}<IZ6/zY;y0.]594{\D29 , would show up as follows:

CRC32: 5d2d4047
MD5: 38e9f34eb86f107ed9532815e782d6bb
SHA1: 6b9c7afd3d19619e4bd92afd0f420ca8b69b924b
SHA256: ecdaa6e0aa553fb4f4b67fccaa7ffb6e1070fe5737df529c35533bbd9bb6b794

Thus, by using a hash, there should no limitation on how long my password is or what characters I use. The minimum requirements are checked as well as proper sanitizing at the front-end such as the web browser, but there should be no maximum.

My actual experience scares me. To me, the sites in need of long secure password are the ones that are essential to my life and well-being which are the financial sites (brokerage, banking, retirement, health care). If those sites are broken into, my quality of life and the ability to pay bills would be severely affected. Yet, those are the sites which had the shortest maximum password and the restrictions on the character sets that I could use. Sure, I could use letters and numbers. How about special characters? Good luck. At least the site with the shortest maximum password also had a second factor verification in place. Most of the others only had measures in place to prevent phishing. I guess all they care about is protecting THEIR money, not mine.

The next critical secure sites happen to be email. Before you laugh, consider that a Forgot Password routine send you a recovery method via your registered email account. If it's a good password recovery routine, you will need to click on a emailed link to recover your password. A bad password recovery routine send you your password which means they are not using a one-way encryption. The good part is that my main email account allows a very long password and the choice of characters. The bonus part is that the webmail uses two-factor authentication. The ones that don't are my dump accounts for testing.

Which brings up online shopping. Again, a mixed bag. The site that I use almost constantly, Amazon, allows for long passwords, but does not have two-factor authentication (to the best of my knowledge). Some of the other shopping sites again have the short password requirements, and all except steam do not employ two-factor authentication.

And, the sites which allow me to use long passwords from any character set are the web forums such as this one. 100 character password? No problem. Any characters? No problem. Of course, if someone hacks my web forum password, all that I would suffer is a blemished reputation.

Now, I will admit that a strong and secure password is only one part of the equation. There are methods that should be employed at the server end to secure things down. Yet, if past experience is any indication, while the IT people want to secure things down, the accountants and MBAs are looking at the expense and vetoing the badly needed improvement. After all, IT costs money and they want to reduce expenses as much as possible. They are more focused on getting more sales. Yet, they have the money to clean up the mess caused by not properly securing stuff in the first place. All that I can do is secure my end.

[txstateends]

I am a day sleeper. My enemies are the sun, Jack Hammer, Lawn Mowers, and table saws.

Don't forget leaf blowers!!!  Quite popular where I live (and try to sleep)....

Thanx for the password manager suggestions, I guess I need to break down and do that--I've been forgetting more passwords than I can remember lately. 

[ZLoth]

I forgot to mention this last night. Here are an actual code example that have caused pain for me when changing passwords.

<input style="(style info deleted)" name="iPassword3" size="15" maxlength="12" class="entryfields" oncopy="return false" ondrag="return false" ondrop="return false" autocomplete="off" type="password">

That input tag contains Javascript tags what prevent me from dragging and dropping a password, or even pasting a password from my password manager to the site in question. What were the password requirement? "Your Password must be 6 to 12 characters and contain at least 1 uppercase letter and at least 1 number." And, what is the purpose of the account? To manage my toll tag when driving into a nearby metropolitan area. What was the solution? Disable JavaScript in the browser using an addon.

I should also note that I use a Password Card on those rare instances where KeePass world be unavailable to me. Fortunately, there is also a Android Application and iPhone Application which means that a crook cannot figure out the password of the month from finger smudges.

[ZLoth]

I am a day sleeper. My enemies are the sun, Jack Hammer, Lawn Mowers, and table saws.

Don't forget leaf blowers!!!  Quite popular where I live (and try to sleep)....

Thanx for the password manager suggestions, I guess I need to break down and do that--I've been forgetting more passwords than I can remember lately. 

You had to remind me about leaf blowers. 

Did I mention that KeePass is free?

[vdeane]

I forgot to mention this last night. Here are an actual code example that have caused pain for me when changing passwords.

<input style="(style info deleted)" name="iPassword3" size="15" maxlength="12" class="entryfields" oncopy="return false" ondrag="return false" ondrop="return false" autocomplete="off" type="password">

That input tag contains Javascript tags what prevent me from dragging and dropping a password, or even pasting a password from my password manager to the site in question. What were the password requirement? "Your Password must be 6 to 12 characters and contain at least 1 uppercase letter and at least 1 number." And, what is the purpose of the account? To manage my toll tag when driving into a nearby metropolitan area. What was the solution? Disable JavaScript in the browser using an addon.

I should also note that I use a Password Card on those rare instances where KeePass world be unavailable to me. Fortunately, there is also a Android Application and iPhone Application which means that a crook cannot figure out the password of the month from finger smudges.

The maximum length also hints at a lack of one-way encryption.  Hashes don't care about length.

Amazon also allows unlimited password retries, so a script could just keep hitting one's account with logon attempts and Amazon wouldn't care.

[Zeffy]

I useless LastPass for most of my passwords, and I have a text file in very random places on my PC that contain other passwords since my memory is shitty. My PC has NEVER been hacked because I use a bunch of security programs and I'm not stupid enough to fall for common trojan & rootkit traps.

My passwords all contain symbols, mixed caps and numbers.

[sammi]

On the other end of the scale, there's mob-rule.com.

For most of my passwords, I use a variant of a certain four-word phrase (it's not correct horse battery staple ). As in, letters would be replaced with numbers or symbols, depending on which one resembles that letter.

For accounts that my family also uses, or the ones with maximum password length limits (what would the point of that be anyway?), I use a variants of a different shorter password; they all differ by the same substitutions I make with my longer password.

My Twitter account used the long password, but someone logged in and started spamming my news feed, so I changed it to another four-word phrase (part of which is the same as with the original phrase). I don't think they can break into any of my other accounts, because Twitter was the only one left at the time that was under my... "old" name.

I actually have shortcuts on my computer to type the whole thing out. Certain three-letter combinations preceded by ] make AutoHotKey type my different passwords.