Jump to content


Welcome to DBSTalk


Sign In 

Create Account
Welcome to DBSTalk. Our community covers all aspects of video delivery solutions including: Direct Broadcast Satellite (DBS), Cable Television, and Internet Protocol Television (IPTV). We also have forums to discuss popular television programs, home theater equipment, and internet streaming service providers. Members of our community include experts who can help you solve technical problems, industry professionals, company representatives, and novices who are here to learn.

Like most online communities you must register to view or post in our community. Sign-up is a free and simple process that requires minimal information. Be a part of our community by signing in or creating an account. The Digital Bit Stream starts here!
  • Reply to existing topics or start a discussion of your own
  • Subscribe to topics and forums and get email updates
  • Send private personal messages (PM) to other forum members
  • Customize your profile page and make new friends
 
Guest Message by DevFuse

Photo

HeartBleep and Passwords


  • Please log in to reply
19 replies to this topic

#1 OFFLINE   Mark Holtz

Mark Holtz

    Day Sleeper

  • DBSTalk Club
  • 9,926 posts
  • LocationSacramento, CA
Joined: Mar 23, 2002

Posted 04 May 2014 - 11:07 PM

I have spent the past week changing all of my website passwords thanks to the HeartBleep vulnerability. OK, OK, I know it is called HeartBleed, but if you had to change all of the passwords, you can understand what kind of a bleep it is. The last time I changed all of my passwords was in 2010 from about six unique passwords to a unique password for each website. To manage my passwords, I use KeePass as my master password manager, and a small subset of those passwords are kept in LastPass. The password file is backed up from my USB drive to a hard drive using FreeFileSync and is regularly backed up to my Dropbox account. When two-factor authentication became available, I activated it on all of my accounts.

Now, I'm no security expert, but I have done some programming. One of the things that I learned is that you use a one-way encryption algorithm to encrypt a password as a hash. As an example, take the password TrustNo1! . That password passes all the short password requirements, and turns in the following hash:

CRC32: 415bbeab
MD5: 012f6e0c2e86fdba9035307528a36557
SHA1: d32662aaa15f94cdbfdeec83b49c4d6cd73d6c04
SHA256: 81ccbefbd0adad93d912fcb02faa23fbd6f3556d7176027f48982359d44eef74

Now, I hope noone uses TrustNo! as it is considered one of the thirty most common password according to How Secure Is My Password?. Also, if you are a good programmer, you would "salt" the password with additional and unique text, plus encrypt the password prior to storing it in your database. So, a password that I would actually use, like T[5X];H8%.`}<IZ6/zY;y0.]594{\D29 , would show up as follows:

CRC32: 5d2d4047
MD5: 38e9f34eb86f107ed9532815e782d6bb
SHA1: 6b9c7afd3d19619e4bd92afd0f420ca8b69b924b
SHA256: ecdaa6e0aa553fb4f4b67fccaa7ffb6e1070fe5737df529c35533bbd9bb6b794

Thus, by using a hash, there should no limitation on how long my password is or what characters I use. The minimum requirements are checked as well as proper sanitizing at the front-end such as the web browser, but there should be no maximum.

My actual experience scares me. To me, the sites in need of long secure password are the ones that are essential to my life and well-being which are the financial sites (brokerage, banking, retirement, health care). If those sites are broken into, my quality of life and the ability to pay bills would be severely affected. Yet, those are the sites which had the shortest maximum password and the restrictions on the character sets that I could use. Sure, I could use letters and numbers. How about special characters? Good luck. At least the site with the shortest maximum password also had a second factor verification in place. Most of the others only had measures in place to prevent phishing. I guess all they care about is protecting THEIR money, not mine.

The next critical secure sites happen to be email. Before you laugh, consider that a Forgot Password routine send you a recovery method via your registered email account. If it's a good password recovery routine, you will need to click on a emailed link to recover your password. A bad password recovery routine send you your password which means they are not using a one-way encryption. The good part is that my main email account allows a very long password and the choice of characters. The bonus part is that the webmail uses two-factor authentication. The ones that don't are my dump accounts for testing.

Which brings up online shopping. Again, a mixed bag. The site that I use almost constantly, Amazon, allows for long passwords, but does not have two-factor authentication (to the best of my knowledge). Some of the other shopping sites again have the short password requirements, and all except steam do not employ two-factor authentication.

And, the sites which allow me to use long passwords from any character set are the web forums such as this one. 100 character password? No problem. Any characters? No problem. Of course, if someone hacks my web forum password, all that I would suffer is a blemished reputation.

Now, I will admit that a strong and secure password is only one part of the equation. There are methods that should be employed at the server end to secure things down. Yet, if past experience is any indication, while the IT people want to secure things down, the accountants and MBAs are looking at the expense and vetoing the badly needed improvement. After all, IT costs money and they want to reduce expenses as much as possible. They are more focused on getting more sales. Yet, they have the money to clean up the mess caused by not properly securing stuff in the first place. All that I can do is secure my end.
"In many ways, this opera does fulfil my often quoted description of what most operas is about. The tenor is trying to sleep with the soprano, and the baritone is trying to stop them." - Sean Bianco, KXPR At The Opera
Check out my list of links.

...Ads Help To Support This SIte...

#2 OFFLINE   dpeters11

dpeters11

    Hall Of Fame

  • DBSTalk Club
  • 13,487 posts
  • LocationCincinnati
Joined: May 30, 2007

Posted 05 May 2014 - 05:17 AM

Yeah, the sites that only allow a short password etc scares me. You're right, there is no reason for it.

 

What scares me the most is Fidelity. Only allows numbers and letters, is case insensitive and you use the same password to authenticate to the phone system. That means that for each letter of your password, it actually accepts three letters and a number as correct.

 

For your email, make sure that any recovery email address you have set can't be guessed by seeing the parts that are unmasked. You don't want to end up in Mat Honan's situation, though some of the companies involved supposedly changed their procedures.



#3 OFFLINE   Mark Holtz

Mark Holtz

    Day Sleeper

  • Topic Starter
  • DBSTalk Club
  • 9,926 posts
  • LocationSacramento, CA
Joined: Mar 23, 2002

Posted 05 May 2014 - 05:56 AM

What scares me the most is Fidelity. Only allows numbers and letters, is case insensitive and you use the same password to authenticate to the phone system. That means that for each letter of your password, it actually accepts three letters and a number as correct.

And the excuse that those companies use is that they are running old mainframe code. Of couse, those "mainframes" are probably running virtualized, and the code was only updated to Y2K compliance. But, spend money on actual modern security. You got stopped by "spend money". Of course, didn't I see a 60 Minutes report where they are using old 8" floppys for our missile defense?

For your email, make sure that any recovery email address you have set can't be guessed by seeing the parts that are unmasked. You don't want to end up in Mat Honan's situation, though some of the companies involved supposedly changed their procedures.

Slight problem with what you stated above. In my experience, people only check one or two email addresses, and those addresses tend to be a public webmail address (Gmail, Hotmail, Yahoo mail), their work addresses, or an old AOL address. Using a work email addresss for personal stuff is a big no-no, as that email address, the Internet connection, and the work computer is the property of your employer. And, too many times, people have lost access to online photo collections because they lost access to work email a while back because of a layoff, and now can't recover the password.

My personal philosophy is that home and work should remain seperate. I actively check three email accounts: My work account, my personal account (which I own my domain name, thus catch-all), and one for Toastmasters. Nobody outside of work knows my work email address, not even my mother.
"In many ways, this opera does fulfil my often quoted description of what most operas is about. The tenor is trying to sleep with the soprano, and the baritone is trying to stop them." - Sean Bianco, KXPR At The Opera
Check out my list of links.

#4 OFFLINE   Mark Holtz

Mark Holtz

    Day Sleeper

  • Topic Starter
  • DBSTalk Club
  • 9,926 posts
  • LocationSacramento, CA
Joined: Mar 23, 2002

Posted 05 May 2014 - 06:39 AM

I forgot to mention this last night. Here are an actual code example that have caused pain for me when changing passwords.

<input style="(style info deleted)" name="iPassword3" size="15" maxlength="12" class="entryfields" oncopy="return false" ondrag="return false" ondrop="return false" autocomplete="off" type="password">

That input tag contains Javascript tags what prevent me from dragging and dropping a password, or even pasting a password from my password manager to the site in question. What were the password requirement? "Your Password must be 6 to 12 characters and contain at least 1 uppercase letter and at least 1 number." And, what is the purpose of the account? To manage my toll tag when driving into a nearby metropolitan area. What was the solution? Disable JavaScript in the browser using an addon.

I should also note that I use a Password Card on those rare instances where KeePass world be unavailable to me. Fortunately, there is also a Android Application and iPhone Application which means that a crook cannot figure out the password of the month from finger smudges.
"In many ways, this opera does fulfil my often quoted description of what most operas is about. The tenor is trying to sleep with the soprano, and the baritone is trying to stop them." - Sean Bianco, KXPR At The Opera
Check out my list of links.

#5 OFFLINE   dennisj00

dennisj00

    Hall Of Fame

  • DBSTalk Club
  • 8,897 posts
  • LocationLake Norman, NC
Joined: Sep 27, 2007

Posted 05 May 2014 - 07:31 AM

The major buying sites, Amazon, eBay, paypal, and others, should implement at least a sms or phone verification of the online purchase.

 

I get a text from my accounts on most all online purchases.  Even the bank could implement an acknowledgement of that text before paying the originator.

 

Amazon could easily give one of the RSA token generators to every Prime account.


  • Rich likes this

Spending to stimulate the economy as fast as the credit cards will allow!

My Setup / Weather at Lake Norman!/ Boathouse BEES
DLB, MRV, nomad, HDGUI are HERE! . . . We're DONE!


#6 OFFLINE   phrelin

phrelin

    Hall Of Fame

  • Registered
  • 13,543 posts
  • LocationNorthern California Redwoods
Joined: Jan 18, 2007

Posted 05 May 2014 - 09:14 AM

We were "shopping" on line in the late 1990's. Since then we've had our credit card info "stolen" several times - but always from shopping in a store in person, never on line. Once we had someone print and use a check with our account number. This was not from on line activity, but derived from a paper check.

 

We always catch this within 24 hours because we monitor our accounts. On occasion it has been inconvenient but before computer banking allowed 24/7 monitoring, someone could use a credit or bank account until the statement arrived at your mailbox.

 

Should we have better systems, probably. But I'm not worrying about it.


"In a hundred years there'll be a whole new set of people."
"Always poke the bears. They sleep too much for their own good."

"If you're good enough, they'll talk about you." - Tom Harmon
A GEEZER who remembers watching TV in 1951 and was an Echostar customer from 1988 to 2008, now a Dish Network customer.
My AV Setup
My Slingbox Pro HD Experience
My Blog: The Redwood Guardian


#7 OFFLINE   dpeters11

dpeters11

    Hall Of Fame

  • DBSTalk Club
  • 13,487 posts
  • LocationCincinnati
Joined: May 30, 2007

Posted 05 May 2014 - 09:43 AM

And the excuse that those companies use is that they are running old mainframe code. Of couse, those "mainframes" are probably running virtualized, and the code was only updated to Y2K compliance. But, spend money on actual modern security. You got stopped by "spend money". Of course, didn't I see a 60 Minutes report where they are using old 8" floppys for our missile defense?
Slight problem with what you stated above. In my experience, people only check one or two email addresses, and those addresses tend to be a public webmail address (Gmail, Hotmail, Yahoo mail), their work addresses, or an old AOL address. Using a work email addresss for personal stuff is a big no-no, as that email address, the Internet connection, and the work computer is the property of your employer. And, too many times, people have lost access to online photo collections because they lost access to work email a while back because of a layoff, and now can't recover the password.

My personal philosophy is that home and work should remain seperate. I actively check three email accounts: My work account, my personal account (which I own my domain name, thus catch-all), and one for Toastmasters. Nobody outside of work knows my work email address, not even my mother.

 

I created a randomly generated email address (or at least as randomly generated as allowed in the email spec) at a different provider. That's what I put as my recovery email address. Not used for anything else, and I don't plan on ever needing it myself



#8 OFFLINE   harsh

harsh

    Beware the Attack Basset

  • Registered
  • 19,381 posts
  • LocationSalem, OR
Joined: Jun 14, 2003

Posted 05 May 2014 - 10:58 AM

Passwords in PHP are also salted with the time that they are created so what is stored will change from one instant to the next.  This insures that the password is very difficult to track down.

 

As most systems lock up after a few tries, even short passwords are pretty safe.  What sucks is the policies that demand using password managers to keep track when you have to change the password every quarter.  It isn't like the password has become any less secure as time passes and at three shots an hour, it would take a very long time to brute force "zap".


Too often we enjoy the comfort of opinion without the discomfort of thought. -- JFK


#9 OFFLINE   dpeters11

dpeters11

    Hall Of Fame

  • DBSTalk Club
  • 13,487 posts
  • LocationCincinnati
Joined: May 30, 2007

Posted 05 May 2014 - 07:22 PM

Online attacks are not what I'm concerned about.


Sent from my iPad using Tapatalk

#10 OFFLINE   harsh

harsh

    Beware the Attack Basset

  • Registered
  • 19,381 posts
  • LocationSalem, OR
Joined: Jun 14, 2003

Posted 06 May 2014 - 10:16 AM

Online attacks are not what I'm concerned about.

You're concerned about an "offline" attack?

 

How would that work?


Too often we enjoy the comfort of opinion without the discomfort of thought. -- JFK


#11 OFFLINE   dpeters11

dpeters11

    Hall Of Fame

  • DBSTalk Club
  • 13,487 posts
  • LocationCincinnati
Joined: May 30, 2007

Posted 06 May 2014 - 10:47 AM

You're concerned about an "offline" attack?

 

How would that work?

 

Offline attacks are much more valuable. Steal database, get lots of passwords. With rare exception, I use a different password for every site, but it still annoys me when a site has ridiculous password requirements that don't allow me to use a long random password. The Fidelity site is a special case, but accepting 4 possibilities as a valid entry for a password character is horrific.



#12 OFFLINE   Mark Holtz

Mark Holtz

    Day Sleeper

  • Topic Starter
  • DBSTalk Club
  • 9,926 posts
  • LocationSacramento, CA
Joined: Mar 23, 2002

Posted 06 May 2014 - 10:55 AM

Offline attacks are much more valuable. Steal database, get lots of passwords.

But, is that something that you can control? I can control my password, however, I cannot control how the web site interfaces with the security DB or how the passwords are stored. There are, however, clues in how the password is being stored and handled from the password requirements. Forgot password routine sending my original password? Customer convient, but it means that the password is encrypted in the DB.
"In many ways, this opera does fulfil my often quoted description of what most operas is about. The tenor is trying to sleep with the soprano, and the baritone is trying to stop them." - Sean Bianco, KXPR At The Opera
Check out my list of links.

#13 OFFLINE   dpeters11

dpeters11

    Hall Of Fame

  • DBSTalk Club
  • 13,487 posts
  • LocationCincinnati
Joined: May 30, 2007

Posted 06 May 2014 - 11:11 AM

No, it's not something I can control, but I can try to limit the damage as much as possible. I generally take a "trust no one" approach.



#14 OFFLINE   harsh

harsh

    Beware the Attack Basset

  • Registered
  • 19,381 posts
  • LocationSalem, OR
Joined: Jun 14, 2003

Posted 07 May 2014 - 08:13 AM

Offline attacks are much more valuable. Steal database, get lots of passwords.

The flaw in this thinking is that the database typically doesn't store your password. Instead they store a hash of your password and figuring out what the actual password might be takes large quantities of computing power and continued access to the unchanged login to test out the results.

The databases are more useful for harvesting other information like credit card, SSN and account numbers that the system actually needs to know to do its thing.

Too often we enjoy the comfort of opinion without the discomfort of thought. -- JFK


#15 OFFLINE   dpeters11

dpeters11

    Hall Of Fame

  • DBSTalk Club
  • 13,487 posts
  • LocationCincinnati
Joined: May 30, 2007

Posted 07 May 2014 - 01:22 PM

No, it's still an issue. Not all sites encrypt the password, and those that do don't always use good encryption. Look at the adobe compromise. Identical passwords had the exact same encrypted value, and password hints were also included in plain text. We're on a site right now that sends passwords in the clear. A lot of password lists have appeared over the years, from compromised databases.

 

And of course since the majority of users use the same or similar passwords for all sites....

 

I assume that my password and security questions are stored in the clear, though I admit I do have a set list of about 15 security questions and bogus answers. That's my tradeoff.

 

We need more sites to support two factor and for Wilbur_the_goose to chime in :)



#16 OFFLINE   Mark Holtz

Mark Holtz

    Day Sleeper

  • Topic Starter
  • DBSTalk Club
  • 9,926 posts
  • LocationSacramento, CA
Joined: Mar 23, 2002

Posted 07 May 2014 - 04:57 PM

The flaw in this thinking is that the database typically doesn't store your password. Instead they store a hash of your password and figuring out what the actual password might be takes large quantities of computing power and continued access to the unchanged login to test out the results.

Not quite. If a website, in response to a Forgot Password requests, sends me back my password, then it is storing the password in a DB (and, we hope, in encrypted manner). If it sends me eitehr a link to reset my password and/or a randomly generated password, then it may be using a one-way hash. That's not an guarantee.

Thats the trouble with this techie who holds a Business Admin-Management Information Systems degree, not a CIS degree. :rant: I see things from both sides of the equation. Managers and VPs are rated on their performance, and one of those is increasing revenue and decreasing expenses. Thats partially why we haven't implemented chip-and-pin yet in the United States: The merchants, banks, and credit card companies want someone else to pick up the expense of the upgrade, and it takes a major breech like Target to finally implement technology that has been used for at around fifteen years in Europe. Same with computers.... until it directly affects a major Vice President of a company or a CEO/CIO/CFO, upgrades are often postponed. Look at how many companies are now spending the money for XP Extended Support even through Windows XP was advertised EOL for at least five years? :bang


"In many ways, this opera does fulfil my often quoted description of what most operas is about. The tenor is trying to sleep with the soprano, and the baritone is trying to stop them." - Sean Bianco, KXPR At The Opera
Check out my list of links.

#17 OFFLINE   dennisj00

dennisj00

    Hall Of Fame

  • DBSTalk Club
  • 8,897 posts
  • LocationLake Norman, NC
Joined: Sep 27, 2007

Posted 08 May 2014 - 04:58 AM

It did affect the CEO of Target. . . he walked away with $50+ Million!



Spending to stimulate the economy as fast as the credit cards will allow!

My Setup / Weather at Lake Norman!/ Boathouse BEES
DLB, MRV, nomad, HDGUI are HERE! . . . We're DONE!


#18 OFFLINE   harsh

harsh

    Beware the Attack Basset

  • Registered
  • 19,381 posts
  • LocationSalem, OR
Joined: Jun 14, 2003

Posted 08 May 2014 - 08:18 AM

No, it's still an issue. Not all sites encrypt the password, and those that do don't always use good encryption. Look at the adobe compromise.

Holding up Adobe as the pinnacle of security is just silly. They wouldn't know security if it bit them on the nose. Because Adobe, like Microsoft, is compelled to use their products to create their websites, their security is inherently horrible.

I'll grant that any site that can send you your password is messed up, but I haven't seen one of those in a very long time. Many of the sites that say they will send you your password actually send you a new password.

Too often we enjoy the comfort of opinion without the discomfort of thought. -- JFK


#19 OFFLINE   dpeters11

dpeters11

    Hall Of Fame

  • DBSTalk Club
  • 13,487 posts
  • LocationCincinnati
Joined: May 30, 2007

Posted 08 May 2014 - 01:11 PM

No, Adobe isn't the pinnacle of security (though Adobe Reader has greatly improved and overall I'd say Java is worse than Reader or Flash). But they are an example of how passwords are not necessarily properly secured. There's likely a lot of sites that have as bad or worse protection. Simply being "encrypted" isn't enough. But usually we don't get that kind of visibility, so I have to assume it's encrypted badly.



#20 OFFLINE   harsh

harsh

    Beware the Attack Basset

  • Registered
  • 19,381 posts
  • LocationSalem, OR
Joined: Jun 14, 2003

Posted 09 May 2014 - 08:07 AM

No, Adobe isn't the pinnacle of security (though Adobe Reader has greatly improved and overall I'd say Java is worse than Reader or Flash).

Watching the CERT reports, Reader has as many or more issues as Java and Java is a lot lower on the bare metal scale when it comes to interaction with the computer. It is truly surprising that Flash isn't more of a problem.

The one that really scares the bejesus out of me is Silverlight. Since so few use it, we don't know what might be wrong with it.

Too often we enjoy the comfort of opinion without the discomfort of thought. -- JFK





Protected By... spam firewall...And...