RIP XP

[Redsgirl]

Just read this in the news,

http://www.bbc.co.uk/news/technology-26954540

Do I really need to change all my passwords?
I've done my email account but what about all those shopping sites and stuff, god knows how many of them there are.
Advice plz.

[titaniumbean]

Just read this in the news,

http://www.bbc.co.uk/news/technology-26954540

Do I really need to change all my passwords?
I've done my email account but what about all those shopping sites and stuff, god knows how many of them there are.
Advice plz.

i'd be a good idea. but doesn't really matter in all honesty if you don't.

this bug affected everyone and everything online basically, and unless people have any kind of good reason to focus on you to attack then you don't really need to care.

[Redsgirl]

Just read this in the news,

http://www.bbc.co.uk/news/technology-26954540

Do I really need to change all my passwords?
I've done my email account but what about all those shopping sites and stuff, god knows how many of them there are.
Advice plz.

i'd be a good idea. but doesn't really matter in all honesty if you don't.

this bug affected everyone and everything online basically, and unless people have any kind of good reason to focus on you to attack then you don't really need to care.

Okay great, I'll not bother then. Thanks titaniumbean x

[titaniumbean]

disclaimer*

dont blame me if shit hits the fan.


if you were to threat model though you are a pretty unlikely target.


in general people have awful passwords and terrible 'operational security' anyway.


the only way it could hurt to change them all is if it causes you loads of problems to start remembering them.



best practice for passwords nowadays is to try and use a passphrase rather than just a word, so a relatively long sentence as your password preferably with capitalisation/numbers strewn about. obviously you may be limited by awful system admins who enforce certain length constraints etc.

ideally you would have long passphrases, unique to every single login you use for every different site. in reality though how the hell are you meant to remember all that.

[titaniumbean]

http://www.latimes.com/business/technology/la-fi-tn-how-to-protect-from-heartbleed-bug-20140409,0,5833514.story#ixzz2yPhXALaW


cliffs, wait a few days because terrible admins wont be updating quick enough anyway, use long complicated weird passwords. or just unplug the internet and sit in the dark...

[mondatoo]

disclaimer*

dont blame me if shit hits the fan.


if you were to threat model though you are a pretty unlikely target.


in general people have awful passwords and terrible 'operational security' anyway.


the only way it could hurt to change them all is if it causes you loads of problems to start remembering them.



best practice for passwords nowadays is to try and use a passphrase rather than just a word, so a relatively long sentence as your password preferably with capitalisation/numbers strewn about. obviously you may be limited by awful system admins who enforce certain length constraints etc.

ideally you would have long passphrases, unique to every single login you use for every different site. in reality though how the hell are you meant to remember all that.

Any pens and paper about.

[titaniumbean]

ya mondooo you're right i nearly put that tbf, storing passwords in your desk on a piece of paper is much more secure than storing them on your computer.

[mulhuzz]

I recently taught my mum that having passwords like 'rhubarbpie1' wasn't going to cut it and taught her to use pass phrases which have both increased entropy and memorability.

She now has a book (a modern classic) by her PC and for each website three numbers: page number, word number and word count. So she goes to the page, counts n word in and uses the following m words as a password, adding some random numerical info and randomising the case of every Lth letter.

Puts my passwords to shame and never had a problem remembering one yet.

[titaniumbean]

I recently taught my mum that having passwords like 'rhubarbpie1' wasn't going to cut it and taught her to use pass phrases which have both increased entropy and memorability.

She now has a book (a modern classic) by her PC and for each website three numbers: page number, word number and word count. So she goes to the page, counts n word in and uses the following m words as a password, adding some random numerical info and randomising the case of every Lth letter.

Puts my passwords to shame and never had a problem remembering one yet.

and then we find out that the nuclear launch code for 20 years was 00000 and the dial was always left at 00000 LOL

[Redsgirl]

I recently taught my mum that having passwords like 'rhubarbpie1' wasn't going to cut it and taught her to use pass phrases which have both increased entropy and memorability.

She now has a book (a modern classic) by her PC and for each website three numbers: page number, word number and word count. So she goes to the page, counts n word in and uses the following m words as a password, adding some random numerical info and randomising the case of every Lth letter.

Puts my passwords to shame and never had a problem remembering one yet.

Really? Wow that seems like an awful lot of effort, I'm starting to think anyone who wanted to access anything on my computer will have got it long before this security breach then 

[mulhuzz]

I recently taught my mum that having passwords like 'rhubarbpie1' wasn't going to cut it and taught her to use pass phrases which have both increased entropy and memorability.

She now has a book (a modern classic) by her PC and for each website three numbers: page number, word number and word count. So she goes to the page, counts n word in and uses the following m words as a password, adding some random numerical info and randomising the case of every Lth letter.

Puts my passwords to shame and never had a problem remembering one yet.

Really? Wow that seems like an awful lot of effort, I'm starting to think anyone who wanted to access anything on my computer will have got it long before this security breach then 

it is quite effortful at the beginning but gets easier.

Mind you, as both Monda and Titbean have suggested, writing passwords down on a bit of paper is also absolutely fine. It's a question of chance really, and the chances are OVERWHELMINGLY likely that if you get your password compromised it's because you had it stored insecurely on your PC, not because you had it written down on a bit of paper.

The stigma around writing passwords down on paper is, at least for private individuals, really bad security advice because it leads to generic and simple passwords.