Support NeoGAF

[Persona7]

My password database is currently sitting at 260 entries. I already changed the most important ones but oh god this is taking forever.

I have like 34 and that is way too much for me to handle.

 

[YoungFa]

Hopefully this get fixed soon, and all these people who were using it to sell the data loose their business model.

 

[anonymous_abc]

One thing I love about going through and updating your passwords is that you really see some hilarious incompetence:

- GameFly: Maximum 12 characters
- Redbox: 12 characters
- Porter (Canadian Airline): 13 characters
- uPlay (hacked this year): Maximum 16 characters
- ETS (Test runners for the GRE): Maximum 16 characters, no symbols allowed
- FutureShop (Canadian retailer): Maximum somewhere around 30 characters, but if your password is too long, the error you get is that your password isn't long enough
- Desura: No max password length when you go to reset your password, 30 character max when you go to sign in.
- Monoprice: I have a 30+ character password. I can login just fine. But when I go to change my password, maximum length is 20 characters. Setting aside the wisdom of that, to change my password I need to enter my current password... but the field for my current password has a limit of 20 characters.
- Photobucket: No symbols allowed
- Shinyloot: No symbols allowed

This sort of thing always bugs the hell out of me, oh you want me to use secure passwords, and oh your limiting me to using 16 letters, thanks for that. Twats...

 

[teacupcopter]

Hey my email address with Neogaf was my university email address back when I studied. I have no access to that and now only have a gmail account. What can I do?

 

[D4Danger]

This sort of thing always bugs the hell out of me, oh you want me to use secure passwords, and oh your limiting me to using 16 letters, thanks for that. Twats...

not being able to use symbols is worse. It's like telling hackers the passwords are rubbish and can be cracked in 3 seconds.

Hey my email address with Neogaf was my university email address back when I studied. I have no access to that and now only have a gmail account. What can I do?

PM a mod. http://www.neogaf.com/forum/showgroups.php

 

[Slayer-33]

So wait, this isn't an issue for people on Windows?

 

[anonymous_abc]

So wait, this isn't an issue for people on Windows?

What gives you that impression?
It's an issue for everyone.

 

[D4Danger]

So wait, this isn't an issue for people on Windows?

yes. It's a bug on the server side so everyone is affected if they use a site that uses OpenSSL (which you most certainly do)

 

[Almighty]

Well that sucks. It sucks even more that i just heard about this today. Looks like I will be spending some time tomorrow updating all my important passwords.

 

[Daffy Duck]

Using Lastpass security check it highlights the sites below as having had problems that I have accounts for..

o2.co.uk
rockstargames.com
yahoo.com

 

[BlackBuzzard]

So is steam/PSN webstore or any other gaming service/site affected by this?

 

[Baron von Loathsome]

So is steam/PSN webstore or any other gaming service/site affected by this?

Steam Community uses OpenSSL.

 

[BlackBuzzard]

Steam Community uses OpenSSL.

Am i safe if i have only logged in from the steam service itself, or is it best just to reset my PW?

 

[anonymous_abc]

Am i safe if i have only logged in from the steam service itself, or is it best just to reset my PW?

That can never harm.

 

[Futureman]

My bank (PNC) doesn't allow password with symbols. That's bullshit.

Is there some technical reason a website wouldn't allow symbols?

 

[anonymous_abc]

My bank (PNC) doesn't allow password with symbols. That's bullshit.

Is there some technical reason a website wouldn't allow symbols?

They use shitty character encoding.

Spoiler

No not really, especially for my bank I want a tripple secure password, makes me angry... My bank only alows @ as a special character. wtf...

 

[Stumpokapow]

not being able to use symbols is worse. It's like telling hackers the passwords are rubbish and can be cracked in 3 seconds.

A twelve character random password with alphanumeric has (62^12) possibilities with 71 bits of entropy. With symbols is around (93^12) possibilities, or about 129 times as secure with 78 bits of entropy. So symbols add a significant amount of entropy, but...

A fifty character random password with symbols is 82300000000000000000000000000000000000000000000000000000000000000000000000000 times as secure as a twelve character password that's just alphanumeric. 329 bits of entropy. Length is what you want to add entropy rather than just extended symbol sets.

The real problem is that most people don't use remotely random passwords to begin with, so the effective entropy of their 8-10 character password is near-0 to begin with. Like, if all your passwords are single English words of 8-12 letters with single letter-to-number substitutions, then your entropy is less than 20 bits, or around 3100000000000000 times less secure than a 12 letter alphanumeric random password.

 

[Solo]

Anyone log into their G-mail account yet?

 

[pestul]

Anyone log into their G-mail account yet?

Several times in the past few days. I have 2-step though. I use an authenticator for my Microsoft account.

 

[Solo]

Should I log in, change my PW, and switch to 2 step?

 

[anonymous_abc]

Should I log in, change my PW, and switch to 2 step?

If you aren't using 2 step now you are doing it wrong!

 

[Solo]

Yeah yeah blah blah blah.....doesn't help me with the current predicament!

 

[indigo-cyclops]

Is Amazon vulnerable still? I just started reading about this this morning and stupidly went in and changed my password before realizing that it's probably not a good idea to yet. Now I feel like I'm fucked. Any reassurance available?

 

[anonymous_abc]

Yeah yeah blah blah blah.....doesn't help me with the current predicament!

just go and change your password and activate 2 step, whats the problem? Even if they are still vunerable at least you have the second step protecting you.

 

[torontoml]

Gonna ask again does this bug effect apps like netflix on my ps4 or is it only through browsers?

 

[anonymous_abc]

Gonna ask again does this bug effect apps like netflix on my ps4 or is it only through browsers?

It's a server side issue, so I doubt the client makes much of a difference.

 

[sprsk]

Does it matter if I'm currently logged in or do I have to actually enter a password?

 

[anonymous_abc]

Does it matter if I'm currently logged in or do I have to actually enter a password?

you have to have entered the password recently.
Mind you the vunerabiltiy has been around a while, so it seems fair to assume noone is safe....

 

[Phoenix]

My bank (PNC) doesn't allow password with symbols. That's bullshit.

Is there some technical reason a website wouldn't allow symbols?

I would advise you to complain. I've found that banks have absurdly worse password security rules than pretty much anything. No special characters, shorter phrases, etc. I remember chatting with someone from American Express to get them to explain why only 4 special characters were allowed and why that made no fucking sense whatsoever.

 

[Phoenix]

Should I log in, change my PW, and switch to 2 step?

You should be using 2-step at any place that offers 2 step.

 

[torontoml]

So should I be changing my passwords now or still waiting? I know I can check http://filippo.io/Heartbleed/ to see if sites are still vulnerable, but I have read here that if it comes up red once in a million then it's still vulnerable, so how would I really know?

 

[Phoenix]

So should I be changing my passwords now or still waiting? I know I can check http://filippo.io/Heartbleed/ to see if sites are still vulnerable, but I have read here that if it comes up red once in a million then it's still vulnerable, so how would I really know?

Wait for the site you're using to issue a statement or reach out to them directly.

 

[TangoAlphaLima]

I feel like we're gonna end up with congressional hearings on this shit.

 

[Solo]

You should be using 2-step at any place that offers 2 step.

I understand that now, but I guess I'm still iffy on logging in to make that change. If Google is vulnerable (which allegedly they are not), aren't I taking a risk by signing in to change my PW/activate 2 step?

 

[Enco]

Last pass tells you which accounts are linked to the issue and tells you when you should change your password. Such awesome software and people.

http://lifehacker.com/lastpass-now-tells-you-which-heartbleed-affected-passwo-1561522244

 

[LiK]

So should I be changing my passwords now or still waiting? I know I can check http://filippo.io/Heartbleed/ to see if sites are still vulnerable, but I have read here that if it comes up red once in a million then it's still vulnerable, so how would I really know?

I like Mashable's list. Thy actually show who's been affected or fixed and asked for comments from the sites as well.

http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/?utm_cid=mash-com-Tw-main-link

 

[indigo-cyclops]

I like Mashable's list. Thy actually show who's been affected or fixed and asked for comments from the sites as well.

http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/?utm_cid=mash-com-Tw-main-link

Great list, thanks. So im assuming one should be changing Lastpass master password ASAP?

 

[NHale]

Great list, thanks. So im assuming one should be changing Lastpass master password ASAP?

If you believe what Lastpass statement says, no.

Mashable list is garbage imo. Netflix is unclear while Lastpass is a yes? Sure...

 

[Deleted member 12837]

Is Amazon vulnerable still? I just started reading about this this morning and stupidly went in and changed my password before realizing that it's probably not a good idea to yet. Now I feel like I'm fucked. Any reassurance available?

When was it ever vulnerable? It hasn't been on any list that I've come across so far.

 

[anonymous_abc]

I understand that now, but I guess I'm still iffy on logging in to make that change. If Google is vulnerable (which allegedly they are not), aren't I taking a risk by signing in to change my PW/activate 2 step?

while your password might be compromised you will have the added 2 step to protect you from any nefarious activities, there is no real downside here.

 

[torontoml]

I like Mashable's list. Thy actually show who's been affected or fixed and asked for comments from the sites as well.

http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/?utm_cid=mash-com-Tw-main-link

Thanks, it seemed like netflix made a statement there are we waiting for another one?

 

[NekoFever]

I don't think I've heard a story about this on the radio so far today where they haven't referred to it as a virus.

 

[indigo-cyclops]

If you believe what Lastpass statement says, no.

Mashable list is garbage imo. Netflix is unclear while Lastpass is a yes? Sure...

Yea that's what has me confused.

When was it ever vulnerable? It hasn't been on any list that I've come across so far.

Right, like I said I just found out about this today so I wasn't following it. You're right, it seems like they were never vulnerable. Didn't mean to spread panic.

 

[Tamanon]

I don't think I've heard a story about this on the radio so far today where they haven't referred to it as a virus.

Eh, it's pretty much the only way they can explain it and get most people to understand they should freak out about it.

 

[Phoenix]

I understand that now, but I guess I'm still iffy on logging in to make that change. If Google is vulnerable (which allegedly they are not), aren't I taking a risk by signing in to change my PW/activate 2 step?

PM me and I can walk you through it.

 

[BlackBuzzard]

Well thanks for the info have reset a few passwords gonna do the rest even one's not affected in a few days.

 

[anonymous_abc]

Changed the major passwords, email, social, shopping, banking. Don't care about less curtail ones for now as they are all unique anyway.

 

[Mr.Mike]

So how many passwords does everyone use?

I've got like 2 and a half that I use depending on how important that site is, although I'm thinking that I'll probably start using a third super secure one just for my banking, since the one I created with my bank account has since been spread a bit too far onto sites that are important but maybe not so important that I should be spreading my banking info so far around to all of them (mainly my uni account and various government accounts).

Also, yesterday the CBC segment on Heartbleed advised people to hold off on changing their passwords until this exploit had been fixed. How long should people wait until they start going through all their passwords?

 

[anonymous_abc]

So how many passwords does everyone use?

I've got like 2 and a half that I use depending on how important that site is, although I'm thinking that I'll probably start using a third super secure one just for my banking, since the one I created with my bank account has since been spread a bit too far onto sites that are important but maybe not so important that I should be spreading my banking info so far around to all of them (mainly my uni account and various government accounts).

Also, yesterday the CBC segment on Heartbleed advised people to hold off on changing their passwords until this exploit had been fixed. How long should people wait until they start going through all their passwords?

I've been using a password manager Strip for a while now. Ever since all my passwords have been unique, long and secure. Even if the PSN is hacked again I just have to change the password there because I am not using it anywhere else.

I would assume most big/important sites will have been updated by now so you should be able change your passwords.

It'll undoubtedly be months till all sites that use OpenSSL are fixed...

 

[fallout]

So how many passwords does everyone use?

I use a different password for everything.