#1 Edited by avantegardener (1108 posts) -
#2 Posted by mosespippy (4032 posts) -

Damn it. That list says MSN was affected, while another list I saw this morning said Hotmail/Outlook wasn't. Aren't they the same thing? Now I'm thinking I should change every password regardless of what lists are saying.

#3 Edited by minivan (173 posts) -

FYI you only want to change your password after a specific site has addressed the issue. Changing it before wouldn't hurt but you'll have to change it again later. Here's a good plain english explainer for anyone who doesn't understand what this thread is about.

#4 Edited by ChrisHarris (275 posts) -

Oh no! Does this mean I'll need to change my Giant Bomb BBS password?!

#5 Posted by Snail (8579 posts) -

Damn it. That list says MSN was affected, while another list I saw this morning said Hotmail/Outlook wasn't. Aren't they the same thing? Now I'm thinking I should change every password regardless of what lists are saying.

Pretty sure they haven't been "the same thing" for a number of years now. It would be really strange if Microsoft used OpenSSL, too.

Online
#6 Edited by RonGalaxy (2868 posts) -

Guess this is the universe telling me I need a password management program. Anyone have recommendations (Im on PC and Android)

#7 Posted by TobbRobb (4579 posts) -
#8 Edited by EXTomar (4494 posts) -

The basic problem is that people are using the same password all over the place. Sure you would have to change the password at some place compromised but if all passwords were unique then the issue is contained.

#9 Posted by SteadyingMeat (1110 posts) -

I feel like I'm being asked to change my password at least once a month now, be it from hackers, bugs, etc. Pretty annoying.

#10 Posted by Aetheldod (3509 posts) -

I suppose I dont need to change steam right? Only web ones?

#11 Posted by mosespippy (4032 posts) -

Guess this is the universe telling me I need a password management program. Anyone have recommendations (Im on PC and Android)

Password management programs didn't protect anything from this bug. It's a vulnerability for data in transit from user to server.

#12 Posted by ripelivejam (3528 posts) -

so i need at least 5 random character/number passwords to be protected? that's going to be easy to remember...

#13 Posted by RonGalaxy (2868 posts) -

@narujoe93 said:

Guess this is the universe telling me I need a password management program. Anyone have recommendations (Im on PC and Android)

Password management programs didn't protect anything from this bug. It's a vulnerability for data in transit from user to server.

I know that, the problem is that I have to change my passwords every freakin month because of stupid shit like this. Im sick of keeping track of my passwords, Im just going to let a program handle it from now on (went with lastpass. keypass seemed too sketchy)

#14 Posted by StrainedEyes (1321 posts) -

Damnit, Google. It took me forever to memorize my convoluted password.

#15 Edited by CatsAkimbo (601 posts) -

@aetheldod said:

I suppose I dont need to change steam right? Only web ones?

Anything that uses OpenSSL, which can include non-browser software and hardware devices.

@extomar said:

The basic problem is that people are using the same password all over the place. Sure you would have to change the password at some place compromised but if all passwords were unique then the issue is contained.

Normally yeah, but the majority of places you have a password were probably affected by this, so you'll need to be changing a ton of passwords anyway. Last pass now checks if sites you have passwords on have updated OpenSSL though, so that makes it pretty convenient to know when to update.

#16 Posted by Gantrathor (199 posts) -

I hate the internet sometimes.

#17 Posted by Aetheldod (3509 posts) -
#18 Edited by CatsAkimbo (601 posts) -
#19 Edited by m4r71n2012 (39 posts) -

I'm guessing if you use two stage authentication that would at least stop anyone using an account even if they have the password?

#20 Edited by Ben_H (3308 posts) -

Yay for password managers! Switching from one gibberish password to another takes like 2 seconds per site luckily. I'm switching everything just to be safe. After it is confirmed that the bug is fixed on a given site of course.

@m4r71n2012 said:

I'm guessing if you use two stage authentication that would at least stop anyone using an account even if they have the password?

Yes, as long as they don't have access to the other form of authentication. For stuff like Blizzard's 2-factor, where you have a mobile phone app for the second factor, or Google, where they text you the information for the second factor, you are good. But for stuff like Steam, where they simply email you the second key, it is a bit less secure if your email is compromised. If your email is not compromised then you are fine.

#21 Edited by Aegon (5398 posts) -

Why would changing your password help? If the problem is that they can listen to the password in transit, then they can listen to a changed password as well.

#23 Posted by MB (11968 posts) -

@aegon said:

Why would changing your password help? If the problem is that they can listen to the password in transit, then they can listen to a changed password as well.

The exploit has been fixed by most sites and has been for days.

Moderator
#24 Edited by Ben_H (3308 posts) -

@aegon said:

Why would changing your password help? If the problem is that they can listen to the password in transit, then they can listen to a changed password as well.

The idea is that you change your password after the bug is fixed, not before, which is why they say to wait until it is fixed for a given site before changing. There's no point changing it before.

#25 Posted by ZolRoyce (628 posts) -

Thanks for the heads up on this. I've had to change my password so many times on so many sites already I don't even bother memorizing them anymore, I just slam my face down on the keyboard and go with whatever appears.

#26 Posted by Demoskinos (14561 posts) -

I'm not going to discount the potential security threat of this but honestly,this bug has been apparently there for the past two years and in those two years there were no reported incidents of this actually being implemented to steal data. Most major sites have already patched this I think people are overreacting just a LITTLE bit about this.

#27 Edited by MB (11968 posts) -

...and in those two years there were no reported incidents of this actually being implemented to steal data.

Of course there were no reports of the exploit being used to steal data, it wasn't discovered until recently. But now it has been discovered and it's out in the wild...you can't really compare the number of incidents last week to the potential number and severity of incidents going forward with servers that don't have the vulnerability fixed.

Moderator
#28 Edited by CatsAkimbo (601 posts) -

I'm not going to discount the potential security threat of this but honestly,this bug has been apparently there for the past two years and in those two years there were no reported incidents of this actually being implemented to steal data. Most major sites have already patched this I think people are overreacting just a LITTLE bit about this.

In some ways, yeah. But the way this bug was disclosed was kind of shitty in my opinion. In the past, people have kinda quietly talked to the big companies a day or two before publishing, but here they just were kinda like "Hey shits broken! Here's how to exploit it!"

So although people didn't know about it for 2 years, they know about it now, so in those 2 days or whatever from publishing to patching, anyone fast enough was definitely able to compromise important stuff, and very few people have it setup to even detect that happening.

#29 Posted by Gantrathor (199 posts) -

So should I change passwords for sites I rarely use/haven't used in a long time after they have been patched? I'm still not entirely sure how the process of stealing information works with this bug.

#30 Edited by Forcen (1804 posts) -

Lastpass is damn good you guys, makes this so much easier.

EDIT: anyone know if giantbomb is/was vulnerable? The cert they use now is from march 25th.

#31 Posted by Demoskinos (14561 posts) -

@mb: Sure, and I'm sure as word broke a large number of hackers moved forward to try to do as much damage as they could but also most major sites are patched now. Yeah, its always good to be sure but as a pure numbers game here I think most people are going to be just fine even if they don't change passwords. I'll keep an eye out for suspicious activity but I'm not bothering to learn new passwords for every single thing I use on the internet. Christ, I forget half the passwords I do have now.

#32 Edited by SingingMenstrual (327 posts) -

@forcen said:

Lastpass is damn good you guys, makes this so much easier.

I've never used these password programs so I gotta ask: Doesn't the password program need a password for you to log into your account on it? Doesn't that mean it's as hackable as any other service? If that's true then I wouldn't want all my passwords saved in one place that might get hacked.

But something tells me I'm way off..

#33 Posted by CatsAkimbo (601 posts) -

@forcen said:

Lastpass is damn good you guys, makes this so much easier.

I've never used these password programs so I gotta ask: Doesn't the password program need a password for you to log into your account on it? Doesn't that mean it's as hackable as any other service? If that's true then I wouldn't want all my passwords saved in one place that might get hacked.

But something tells me I'm way off..

It's encrypted on your computer/device using the password, so your password is never uploaded to the internet. Still susceptible to anyone who can get access to your computer through whatever means, but so is pretty much anything.

#34 Edited by RonGalaxy (2868 posts) -

I've come to the conclusion that if someone tries to steal my identity via internet bullshit, I do not give a fuck. Ill just say 'okay, you win' and move to the Alaskan wilderness.

Edit: also, when everything explodes and we're left to pick up the pieces, this song will be playing

#35 Edited by MattyFTM (14341 posts) -

I'm going to change my lastpass password and that's about it. I have most important things set up with two-tier authentication, so no one can access stuff like my email and paypal even if they have access to my passwords. Most other things aren't that important. As long as my emails and payment information is safe, I'm happy.

Moderator