Heartbleed SSL Attack. Important!

Ben Ruset

Administrator
Site Administrator
Oct 12, 2004
7,330
1,097
1,093
41
Asbury Park, NJ
So hopefully by now most of you folks will have heard about how SSL (the protocol used when you're signing into secure websites like your bank, Amazon, etc.) has been hacked. If you haven't, take a moment to look at this site, as well as pretty much any newspaper.

Back when I set up NJPineBarrens.com I was lazy and did not use secure sign on for the site. That is going to change when I upgrade to the new forum software this summer. But there's a few things you should do to protect yourself:

1. For your NJPineBarrens.com account, change the password to something you DO NOT USE anywhere else. It's good security practice anywhere, but until I get the SSL certificate bought and installed your password is going back and forth unencrypted.

2. For all of your other accounts (your bank, Amazon, etc.) change your password. This attack has been out there for a while, and it's undetectable. So who knows, hackers might already have your password and there's absolutely no way anybody would know.

3. Use a password manager application. It may be a little bit of a pain to use in the beginning, but you'll get used to it and it will be super easy to generate secure passwords individually for any site you go to. I literally do not know 90% of my passwords. I just copy them in from the password safe.

For Windows:
PWSafe - Free. I use this for work and it's great.
Keepass - Also free. I used this at my last job.

For Mac:
Password Gorilla - Free. Decent.
pwSafe - Not free, but works on both your Mac and your iDevice. It can keep your password safe in iCloud so that any Apple device you have can open the safe.

For Android:
Password Safe

Web Based:
LastPass - There's a free version. I have never used this.

4. Use a different password for every site you go to. If the site offers 2 factor authentication (where it texts you a code to enter when you log in) use that too.

This is probably the worst/potentially most destructive thing that has happened to the web up until now. I can not stress enough how important it is for you to change your passwords just to be safe.
 

ecampbell

Piney
Jan 2, 2003
2,491
549
1,093
Thanks Ben. I didn't know what to make of it.
Is a password manager really safe? It seems everything gets hacked.
 

Teegate

Administrator
Site Administrator
Sep 17, 2002
21,604
3,584
1,093
Remember that changing your password on an SSL site that has not been fixed is useless. They will just get it again. So be careful on which ones you change. Contact the sites you use regularly and ask them if they have fixed their site. If they had not planned on it and get tons of inquiries they may do it more quickly.

But as Ben mentions if your password to this site is different than anything else you use, only we will have to deal with the hack of your password.
 

ecampbell

Piney
Jan 2, 2003
2,491
549
1,093
Guy, it sounds unmanageable. I have 7 pages of usernames and passwords. Every time I buy something, they want to marry me. I hate it, but without it I can't function. What does "fixed" mean? Can I someway stop everything and start over?
 

Teegate

Administrator
Site Administrator
Sep 17, 2002
21,604
3,584
1,093
Guy, it sounds unmanageable. I have 7 pages of usernames and passwords. Every time I buy something, they want to marry me. I hate it, but without it I can't function. What does "fixed" mean? Can I someway stop everything and start over?

I meant for example your bank password. If your bank has not fixed their website to secure it and you change your password, the hackers can still hack into it and get it. Once they fix the problem and you change your password, then it is secure. So changing your bank password without finding out if their site is fixed is useless.
 

Teegate

Administrator
Site Administrator
Sep 17, 2002
21,604
3,584
1,093
I just changed mine to this site. A portion of it I did use on other sites. Now it is completely different than anything I use.
 

Teegate

Administrator
Site Administrator
Sep 17, 2002
21,604
3,584
1,093
If the site is fixed will it have something other than HTTPS?

No. You will not be able to know if the site is fixed. However, I suspect most reputable sites will be working on that quite quickly.
 

Ben Ruset

Administrator
Site Administrator
Oct 12, 2004
7,330
1,097
1,093
41
Asbury Park, NJ
Thanks Ben. I didn't know what to make of it.
Is a password manager really safe? It seems everything gets hacked.

Yes. Generally it's an encrypted file that sits on your computer or out in the cloud somewhere. (I used to keep mine on Dropbox before I switched to iCloud.)
 
Jul 12, 2006
1,024
100
1,043
Gloucester City, NJ
While I agree that all passwords should be changed and each one different than the other, I'd never use a so-called "password manager" to generate or store my passwords. Come up with a scheme for having a unique password for each site. Each password can be similar with a variation. I especially will never use a password manager for site access that involves money, such as bank accounts, e-commerce sites, etc.

Yes, a password manager is "supposed" to be secure. That being said, so was SSL and some 60+million Target users were supposed to be secure and the list goes on and on and on. Allowing some 3rd party application to have any involvement with your online passwords, just sounds like you're asking for trouble down the road.

Just my opinion..........................
 
  • Like
Reactions: 46er

Ben Ruset

Administrator
Site Administrator
Oct 12, 2004
7,330
1,097
1,093
41
Asbury Park, NJ
While I agree that all passwords should be changed and each one different than the other, I'd never use a so-called "password manager" to generate or store my passwords. Come up with a scheme for having a unique password for each site. Each password can be similar with a variation. I especially will never use a password manager for site access that involves money, such as bank accounts, e-commerce sites, etc.

Yes, a password manager is "supposed" to be secure. That being said, so was SSL and some 60+million Target users were supposed to be secure and the list goes on and on and on. Allowing some 3rd party application to have any involvement with your online passwords, just sounds like you're asking for trouble down the road.

Just my opinion..........................

Well, in this case most of them are open source (subject to source code review), the data files are encrypted and live locally on your computer, and the programs themselves do not talk to the internet.

You're certainly free to do what you want, but at least for me, I'm 100% comfortable with it.
 

Pine Baron

Explorer
Feb 23, 2008
481
24
18
Sandy Run
I understand why you need to change your password on financial sites such as banks and such, but why is there a need to change it on a site like this which is more or less "social".

Is it because some people use passwords for more than one site?

Thanx, John-
 

Teegate

Administrator
Site Administrator
Sep 17, 2002
21,604
3,584
1,093
I understand why you need to change your password on financial sites such as banks and such, but why is there a need to change it on a site like this which is more or less "social".

Is it because some people use passwords for more than one site?

Thanx, John-

Ben has concerns that the password some members use on this site may be the same one or similar that they use on other sites. Since this site does not use SSL the passwords are not encrypted when sent back and forth. If anyone gets the password they can use it to try and access your bank account. For example, if you name on this site is Tom Smith, and your bank account name is also Tom Smith, they can get your password from this site and then try accessing your bank account figuring your name and password there may be the same as here.

So, if the password you use here has any portion of it used elsewhere, change the password of this site to something you have not used before.
 

Pine Baron

Explorer
Feb 23, 2008
481
24
18
Sandy Run
Ben has concerns that the password some members use on this site may be the same one or similar that they use on other sites. Since this site does not use SSL the passwords are not encrypted when sent back and forth. If anyone gets the password they can use it to try and access your bank account. For example, if you name on this site is Tom Smith, and your bank account name is also Tom Smith, they can get your password from this site and then try accessing your bank account figuring your name and password there may be the same as here.

So, if the password you use here has any portion of it used elsewhere, change the password of this site to something you have not used before.
Yes.

And I will be setting up SSL here later this summer.
Thanx Guy, that clears it up perfectly! And thanx for the new security, Ben!