Support NeoGAF

[zigg]

Does it matter if I'm currently logged in or do I have to actually enter a password?

If you're currently logged in to a vulnerable site, your session cookie (at least) is vulnerable. As well as your new password if you choose to change it.

So I guess the best thing to do if you've got an active session on a vulnerable site that you've started using is to hit log out and hope they fix soon, then change your password when they do.

 

[LurkerPrime]

Thanks, it seemed like netflix made a statement there are we waiting for another one?

Netflix has been the worst responder to Heartbleed that I've seen. It's Ostrich-With-Head-In-Sand levels of silly.

Edit: Heartbleed is an exploit, not a virus.

 

[PadWarrior]

So do I not change my Ebay email since currently it's infected?

 

[D4Danger]

I wouldn't worry about changing your email.

 

[PadWarrior]

So if your site is unaffected or fine, should we still change our passwords. And I just logged out of Ebay, when should I change my password?

 

[lynux3]

yes. It's a bug on the server side so everyone is affected if they use a site that uses OpenSSL (which you most certainly do)

This is not true. There are network devices vulnerable as well such firewalls, load balancers, IDS, etc.

 

[PadWarrior]

So if your site is unaffected or fine, should we still change our passwords. And I just logged out of Ebay, when should I change my password?

Help anyone .

 

[Slayer-33]

Magfuckignnicifcent.. I hate having to change my god damned passwords..

 

[Guri]

Help anyone .

If a service is definitely not affected, then you should only change if you use the same password in a service that was affected.

 

[mantidor]

Crap.

I hate having to change passwords.

 

[Succinct Verbosity]

I just found out my bank isn't effected, so thank fuck for that.

 

[eot]

I just found out my bank isn't effected, so thank fuck for that.

You just use a password to log into your bank account?

 

[Succinct Verbosity]

You just use a password to log into your bank account?

Oh no, it requires a number of things - but having seen reports of other people's banking problems, I was a bit concerned.

 

[Enco]

So if your site is unaffected or fine, should we still change our passwords. And I just logged out of Ebay, when should I change my password?

If you've use the same password on an infected site, might as well.

Unaffected sites should be fine to keep the same. You won't lose anything by changing though.

Personally I'm only changing infected sites.

And just make sure the site has been fixed before changing.

 

[PadWarrior]

Was Comcast infected ? Ah I see. Wish I had a list showing everything that was infected. That one I posted above doesn't seem that big.

 

[Stumpokapow]

Was Comcast infected ? Ah I see. Wish I had a list showing everything that was infected. That one I posted above doesn't seem that big.

This isn't an "infection".

 

[PadWarrior]

If you've use the same password on an infected site, might as well.

Unaffected sites should be fine to keep the same. You won't lose anything by changing though.

Personally I'm only changing infected sites.

And just make sure the site has been fixed before changing.

Okay thanks, Will do.

 

[Kinokou]

But none of them are saying anything whatsoever. Not even Valve is commenting on steam. Dropbox? MS? No one is talking.
I've tried reaching certain sites, but none of them even give a proper answer or put me on hold indefinitely. I know that we can test current vulnerabilities ourselves, but all of these websites should be keeping us up to date, rather than us having to run behind them and try to figure out what's going on.

EDIT: I don't even know if we can trust sites when they say they've fixed it. I mean, Dropbox said on twitter that they updated and "fixed" it, but the comments below it say that the certificates have not been updated. It's not that fucking difficult. State on the main page of your site the following things: Whether you were affected or not + whether you updated both your version AND your certificates. That's it, I don't understand why everyone is so vague as fuck.

I have the same problem. Here an airplane company was hit, so I tried to contact their competitor, whom I have my information registered at, but their customer support know nothing about heart bleed at all. It really bugs me as it's the last site I need to change. And so far the only site that has given me a clear message on their page are my bank and tumblr.

 

[PadWarrior]

What a pain this, still no word on when Ebay will be fixed or Netflix.

 

[RoadHazard]

Hmm, LastPass Security Check is giving me a lot more positives among my stored sites today than it did yesterday. New ones include Amazon, Google, Facebook and Dropbox. All of these get a "wait" recommendation, i.e. they haven't renewed their certs yet. Yikes.

 

[mrgone]

Yeah, I wish there was a more definitive list of sites somewhere - the LastPass check is great, but I find that almost every site I put in there is a "Potientally maybe? I dunno. You should change your password anyways - but not yet!"


Also I noticed that Valve's updated their certs for steamcommunity.com but not yet for steampowered.com, which seems odd.

 

[RoadHazard]

My bank (PNC) doesn't allow password with symbols. That's bullshit.

Is there some technical reason a website wouldn't allow symbols?

Do your banks allow you to perform critical actions (such as money transactions) with just a simple password login? No Swedish bank does that, AFAIK. If I log in with my password I can only transfer money between my own accounts, and that's pretty much it. To do anything more significant than that I need to login using either my physical bank thingy (a little calculator-like thing where you enter a code and get another one back, which you then enter on the site - and these codes change continuously) or the Bank ID app on my phone (identifies me via a Bank ID that is tied specifically to me, plus a security code). Anyone who doesn't have access to one of those can't do any actual harm. Seems like this sort of stuff should be mandatory for online banking.

Is Amazon vulnerable still? I just started reading about this this morning and stupidly went in and changed my password before realizing that it's probably not a good idea to yet. Now I feel like I'm fucked. Any reassurance available?

According to LastPass Amazon is vulnerable, yes.

So how many passwords does everyone use?

Different ones for every site (with a few exceptions). And they are all completely random and strong. Thank you, LastPass.

 

[Stumpokapow]

Hmm, LastPass Security Check is giving me a lot more positives among my stored sites today than it did yesterday. New ones include Amazon, Google, Facebook and Dropbox. All of these get a "wait" recommendation, i.e. they haven't renewed their certs yet. Yikes.

But it's important to understand what's being said:

- If something is flagged because it hasn't renewed its cert, but wasn't vulnerable to begin with, then it's not magically vulnerable now. You should only care about the cert renewal if the site was vulnerable to begin with.

- The nature of the bug is such that it's quite highly unlikely private keys were compromised; the far bigger attack vector is leaking account information, and that's been fixed as long as the company has patched even if they haven't renewed their certs. Obviously, better safer than sorry, but I think there are lottery-like odds than anyone got private keys.

 

[mrgone]

According to LastPass Amazon is vulnerable, yes.

I'm confused about this. LastPass lists Amazon.com as possibly vulnerable, the cert's a month old, then states that it wasn't vulnerable in the assessment.

 

[RoadHazard]

But it's important to understand what's being said:

- If something is flagged because it hasn't renewed its cert, but wasn't vulnerable to begin with, then it's not magically vulnerable now. You should only care about the cert renewal if the site was vulnerable to begin with.

Yeah, but my understanding is that LastPass only lists sites that are or have been vulnerable, and then recommend an action based on whether each site has renewed their cert or not. But I guess maybe it also lists potentially vulnerable sites that may in fact be safe. Better to be safe than sorry, I suppose.

 

[Replicant]

iTunes just suddenly asked for my password for automatic download. Is this normal?

 

[Omzz]

iTunes just suddenly asked for my password for automatic download. Is this normal?

this jus happened with me too. i just canceled both times

 

[Replicant]

this jus happened with me too. i just canceled both times

Yeah, me too.

 

[Mr.Mike]

I guess I really should start using a password manager. Is there any in particular you guys recommend?

I've been looking at Last Pass, because I do think I'd rather have this stuff stored somewhere safe in the cloud than having to worry about it locally.

 

[RoadHazard]

I guess I really should start using a password manager. Is there any in particular you guys recommend?

I've been looking at Last Pass, because I do think I'd rather have this stuff stored somewhere safe in the cloud than having to worry about it locally.

If you want cloud access to your data, LastPass is definitely the way to go. If you feel more secure with just having it locally KeePass is often recommended. But yeah, LastPass is great. Have been using it for a few years now, haven't had a single issue. You can also create local backups of your password database, so that you can still access it in the unlikely event that their servers get wiped out or something (the extension also stores your database locally, so as long as you don't uninstall that you should still be safe).

 

[Stumpokapow]

If you want cloud access to your data, LastPass is definitely the way to go. If you feel more secure with just having it locally KeePass is often recommended. But yeah, LastPass is great. Have been using it for a few years now, haven't had a single issue. You can also create local backups of your password database, so that you can still access it in the unlikely event that their servers get wiped out or something (the extension also stores your database locally, so as long as you don't uninstall that you should still be safe).

LastPass is great and a worthy recommendation, but both KeePass and 1Password are totally fine for cloud storage of auth data so if you're like me and want access on the go but always have at least one device you can run 1Password from then either KP or 1P are good.

 

[BigJonsson]

Amazon is no longer on the lastpass security check warning

 

[Enco]

LastPass is great and a worthy recommendation, but both KeePass and 1Password are totally fine for cloud storage of auth data so if you're like me and want access on the go but always have at least one device you can run 1Password from then either KP or 1P are good.

The pros of LastPass outweigh any perceived cons.

KP is far far too inconvenient. No way I could fit that into my life. LP is amazing and beats all other services in my opinion. The way they handle everything makes it pretty much impenetrable. Don't see how it's less safe than using another service and putting your databse on Dropbox. If anything, I would trust Dropbox less.

Just changed some passwords to a sequence of 21 random characters. #YOLOSAFETY

 

[RoadHazard]

Amazon is no longer on the lastpass security check warning

Seeing the same thing. Google, Facebook, Dropbox and Netflix are still there though.

 

[fallout]

The pros of LastPass outweigh any perceived cons.

Arguing about which password management solution is best is silly. It's more important that people use one rather than get caught up in the details of which is "better".

 

[Husker86]

Honestly, this has made me almost for sure getting LastPass premium. I've never paid them for anything, but they seem like a great company and I almost feel obligated now. Mobile app will be a nice benefit (especially with their recent Android changes).

 

[jimi_dini]

commit of the day (OpenBSD)

http://www.openbsd.org/cgi-bin/cvsw...le?rev=1.29;content-type=text/x-cvsweb-markup

Disable Segglemann's RFC520 hearbeat.

I am completely blown away that the same IETF that cannot efficiently
allocate needed protocol, service numbers, or other such things when
they are needed, can so quickly and easily rubber stamp the addition
of a 64K Covert Channel in a critical protocol. The organization
should look at itself very carefully, find out how this this happened,
and everyone who allowed this to happen on their watch should be
evicted from the decision making process. IETF, I don't trust you.

 

[pestul]

Stump's sleuthing got me to check out the password security for my own bank BMO.. the result is not pretty.

The password you create here can be used to access Online, Mobile and Telephone Banking.

All passwords must be six characters in length. Special characters (eg. *, %, $, etc) will not be accepted. Choose a password that's easy for you to remember, but difficult for others to guess. Avoid using birthdates, your name or initials, common phrases such as 'abc123' or passwords you have created for other systems. Do not keep a reminder of your password in an easily accessible place.

Horrendous for 2014. I thought that 6 character minimum was okay'ish. Nope. That's the minimum and maximum. The passwords have to be only 6 characters. Fuck.

 

[faceless007]

Stump's sleuthing got me to check out the password security for my own bank BMO.. the result is not pretty.


Horrendous for 2014. I thought that 6 character minimum was okay'ish. Nope. That's the minimum and maximum. The passwords have to be only 6 characters. Fuck.

Oh my God.

 

[Valkyr Junkie]

^^^^ LOL what a joke.

 

[zigg]

commit of the day (OpenBSD)

http://www.openbsd.org/cgi-bin/cvsw...le?rev=1.29;content-type=text/x-cvsweb-markup

I couldn't help but do a little YES manuever when I saw that. Awesome.

 

[acksman]

Been looking at Secret Server as a password site manager. Time to get that setup and change passwords,

 

[clav]

Honestly, this has made me almost for sure getting LastPass premium. I've never paid them for anything, but they seem like a great company and I almost feel obligated now. Mobile app will be a nice benefit (especially with their recent Android changes).

Contemplated on switching to a cloud-based password manager.

I just recently bought a Chromebook, and now that I learned Chromebook can't sideload apps (only OSes), I may have to do this.

 

[Deku Tree]

Does this affect your GAF password?

 

[pestul]

After all this hassle I'm just going back to LastPass and making some impossibly complex passwords.. I'm not sure why I gave up on them in the first place.

 

[RoadHazard]

Stump's sleuthing got me to check out the password security for my own bank BMO.. the result is not pretty.


Horrendous for 2014. I thought that 6 character minimum was okay'ish. Nope. That's the minimum and maximum. The passwords have to be only 6 characters. Fuck.

And just logging in with that unsecure password lets you do what? Everything, including transfer money to other people? That's extremely shitty if true. As I posted earlier, with my bank I can only transfer money between my own accounts if I login using my password. If I want to do anything more critical than that I have to use a much more secure authentication method.

 

[pestul]

And just logging in with that unsecure password lets you do what? Everything, including transfer money to other people? That's extremely shitty if true. As I posted earlier, with my bank I can only transfer money between my own accounts if I login using my password. If I want to do anything more critical than that I have to use a much more secure authentication method.

Lets see what I can do with that weak 6-character password..

- Email money transfers - check
*very easy.. only have to make a security question which you can obviously answer yourself if you're the one hacking

- Open accounts with ease - check
* doesn't seem like you can close an account, which is good..

- Change all contact info and login details - check
*pretty standard for any effected heartbleed site

 

[hoverX]

Wait. So NeoGaf doesn't use SSL?

https://github.com/musalbas/heartbleed-masstest/blob/master/top10000.txt

I just noticed this now.

 

[Phoenix]

So if your site is unaffected or fine, should we still change our passwords. And I just logged out of Ebay, when should I change my password?

Its a good practice to change them every so often anyway, so if you're going to be changing it for Ebay you might as well change it for the others as well.

 

[Phoenix]

I still have tons of sites I'm unsure about, but they're mostly local sites. Is it illegal to check for vulnerability through the lastpass website? Also, if I choose to use it, should I post the link to the login screen? As the main site will occasionally be simply http, whereas the login screen immediately shows the "encrypted" sign.

You want to check the page that does login. All of the https pages on the site will use the same cert.