This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 2.5 License.
Lorrie Faith Cranor studied thousands of real passwords to figure out the surprising, very common mistakes that users — and secured sites — make to compromise security. And how, you may ask, did she study thousands of real passwords without compromising the security of any users? That’s a story in itself. It’s secret data worth knowing, especially if your password is 123456 …
This talk was presented to a local audience at TEDxCMU, an independent event. TED editors featured it among our selections on the home page.
Security Blanket: http://lorrie.cranor.org/blog/2013/08/12/security-blanket/
If you ask the average person what the best ways to protect themselves online are, they’ll give some true answers—but they’ll likely be different than the answers you’d get from a security researcher. Here’s the difference.
Google, in a paper they’re presenting at the Symposium on Usable Privacy and Security this weekend, asked two groups—experts and nonexperts—what they do to stay safe online. While the nonexperts provided some good answers (like using antivirus software), the experts placed certain items as much higher priority, as shown in the above graphic.
Ian Urbina, author of The Secret Lives of Passwords, talks about what passwords mean to people beyond their access to email or social networking accounts. Published on Dec 29, 2014
Here’s the video of my LastPass presentation from the Nebraska Library Association Conference presented on 10 October 2014.
We’re excited to announce that the Auto-Password Change feature we released to our Pre-Build Team last week is now available for all users in beta. LastPass can now change passwords for you, automatically. We’re releasing this feature for free to all our users, on Chrome, Safari, and Firefox (starting with version 3.1.70).
Auto-Password Change already supports 75 of the most popular websites, including Facebook, Twitter, Amazon, Pinterest, Home Depot, and Dropbox. When clicking “edit” for a supported site, a “Change Password Automatically” button appears.
Once clicked, LastPass opens a new tab where it logs in for you, creates a new password, and submits the changes on the website, while also saving them to LastPass. Next time you log in to that website, LastPass will autofill with the newly-generated password. And all you had to do was click a button!
Read the full article @ Blog.LastPass.com
This week, a group of hackers released a list of about 5 million Gmail addresses and passwords. This list was not generated as a result of an exploit of WordPress.com, but since a number of emails on the list matched email addresses associated with WordPress.com accounts, we took steps to protect our users.
We downloaded the list, compared it to our user database, and proactively reset over 100,000 accounts for which the password given in the list matched the WordPress.com password. We also sent email notification of the password reset containing instructions for regaining access to the account.
Read the full article @ blog.wordpress.com
Ebay says that its corporate network and databases were compromised earlier this year, and will ask its users to change their passwords.
Read more @ Boing Boing.
I’ve been putting off this post for a few days to allow for the immediate freak-out to die down and to let some actually good advice to surface. I’m now read to provide the following advice and resources:
Basically, for the past two years there’s been a flaw in the security software behind somewhere near 60% of all “secure” Web sites on the Internet. That whole “make sure the site you’re logging into says ‘https://'” advice, well, that was the part that was broken. No one stole your password per se, but this hole could allow someone to get it and the site they got it from would have absolutely no idea that it happened.
For a slightly more technical explanation watch this short video from the Security Now podcast.
Is it serious?
Bruce Schneier, the security guy security guys listen to says “‘Catastrophic’ is the right word. On the scale of 1 to 10, this is an 11.” ‘Nuff said.
Do I need to change my passwords?
Yes. Especially if, and I’m sorry if this language offends you, your passwords are crap. And chances are, your passwords are crap. Test your passwords using https://howsecureismypassword.net/. If your password strength isn’t measured in millenia, your password is crap.
Oh, and if you use the same password for more than one site. You password is crap.
This is not news folks. You’ve heard this before and ignorance is no longer bliss when it comes to this stuff.
Do I need to change them right now?
This is the biggest problem caused by this whole mess: it depends.
Services that ran certain types of servers, or non-problematic versions of the SSL software, were not effected by this problem and therefore don’t have this as a reason to need you to change your password. (Unless you should anyway since your passwords are crap. See above.)
Services that were effected need to fix the problem on their end before changing your password will do any good. Sure, you could go change your password right now, but if they fix the problem tomorrow, you’ll just need to change your password again.
(See Naked Security’s “Heartbleed heartache” – should you REALLY change all your passwords right away? if you’d like further details.)
So, how do you tell?
Well, yesterday I got an e-mail from IFTTT.com telling me that they’d fixed the problem and that I should change my password. Full marks to IFTTT but don’t expect that from everyone.
Mashable has a great page titled The Passwords You Need to Change Right Now where you can look up major services to see if it’s time to change your password. Go there as soon as you’re done reading this unless you’re a LastPass user.
If you use LastPass they have a service that will go through your accounts and let you know which services have the problem, whether they’ve fixed their server or not, and if it’s time to change your password. You can find instructions on how to do this on their page titled “LastPass Now Checks If Your Sites Are Affected by Heartbleed.”
What should I do from this point forward?
Improve your passwords! Seriously folks, we’re not kidding any more. Install LastPass and create a 100% unique and random password for every site you use. Also, if a service uses two-factor authentication and you can do it (i.e. you can receive text messages on any sort of cell phone) turn it on.
If you run a server, or know someone who does, read/send this EFF blog post on Why the Web Needs Perfect Forward Secrecy More Than Ever and do it.
Yes, this is a pain. Yes, things like complex passwords and two-factor authentication, adds some time it’ll take to log into a Web site. But so does locking your door when you leave the house in the morning. That doesn’t mean you’ve wasted the extra five seconds it took just to be a little more secure.