Heartbleed...

[SkinnyPupp]

Quote:

Originally Posted by tiger_handheld

What I dont comprehend is why the CRA trusts open source security while the largest bank in Canada does their own dev for security.

#mindblasted

In most cases, open source is more secure. This very same bug could have existed in any proprietary system. Usually when exploits are found in open source, they get pointed out and fixed. With proprietary, unless the developers themselves find the holes, who knows what happens before (or if) they get fixed.

Also banks are notoriously lazy with updating their software. Most banks use a proprietary system with known exploits, just because they don't keep it updated. If they used OpenSSL, it would be updated by the community all the time. Bugs do happen, but they get fixed too.

[K.Dubz]

Quote:

Originally Posted by SkinnyPupp

Use this as a reminder to use 2 factor authentication whenever you can, and use a password manager. I already use 2FA for everything but am still researching password managers. Thinking of using Lastpass for $12 a year. Would like to use an open source if possible though

If you were wondering if RS is affected, it's not since we don't use SSL anyway. On low-risk sites like this (forums, blogs, etc) you should NOT be using the same password you'd use on a high risk site (banks, email, etc)

I'm using lastpass, in addition with yubikey. Works great saves you time from having to type in the username/password.

[Majestic12]

Quote:

Originally Posted by underscore

But if you lose the keychain or your master password is compromised you're fucked. I have unique passwords for a few important things and one generic one for shit I don't really care about.

The keychain isn't strictly necessary. So long as the computer I'm using has internet access, I can access my database (since it's hosted on dropbox) and just re-download Keepass to use the database if i REALLY need to. If the master password is compromised, yeah, I'm hooped, which is why it's a damn good one. The upside to that is that you only need the one really good password. Easier than remembering 20 different passwords that are all variations of the same thing.

[SkinnyPupp]

I finally got around to using a password manager. Another site lost their emails and passwords (Ebay). If you are not using one yet, NOW is the time to do so. If you're using simple passwords and the same one on a few sites, it's pretty much just a matter of time before someone gets them.

I went with Dashlane after looking into several options. It seems to be the most compatible, and most reliable. As soon as a good one that combines bitcoin comes along I'll probably switch, but for not this will do

If you're interested, feel free to use my referral code and we will both get 6 months free:

https://www.dashlane.com/en/cs/3bb9491e

[underscore]

What happens if someone gets the password manager info then?

[SkinnyPupp]

I'd take that chance (which is next to nil, unless you tell someone or have a keylogger) over the alternative (if you use a similar password on more than one site, someone has all your passwords)

[inv4zn]

Hmm, I do that lol.

So this software, I guess the point is to completely randomize all your password, and the software keeps track for you?

What happens on the occasion that you want to log into a website, on a computer you don't normally use?

[godwin]

Ideally the data is encrypted. It still take a while to be able to decrypt Blowfish 512.. However if they can get it from your own computer, that means your computer / phone are hooped. So to be extra safe use a password manager that would do 2 factor encryption.

Quote:

Originally Posted by underscore

What happens if someone gets the password manager info then?

[SkinnyPupp]

Quote:

Originally Posted by inv4zn

Hmm, I do that lol.

So this software, I guess the point is to completely randomize all your password, and the software keeps track for you?

What happens on the occasion that you want to log into a website, on a computer you don't normally use?

In this case, the idea is that you always have your phone with you. It syncs all password on your mobile devices, so as long as you have your phone, you have all your passwords.

Presumably you are using two factor authentication for the important sites too, so you'd need your phone with you in that case anyway.

You have to assume that someone has at least ONE of your passwords, it's just a matter of time until they come across your name, and it's time for your passwords to be cracked. And if you use the same word in more than one password, it's MUCH easier to crack the rest.

[inv4zn]

Hmm, will look into this.
Thanks.

Dashlane vs FastPass?

[underscore]

Interesting. My problem is I don't trust phones since they're so easy to break and I don't trust external services.

[Nomomo]

pen and paper for you technosavant. hack that!

[SkinnyPupp]

Quote:

Originally Posted by underscore

Interesting. My problem is I don't trust phones since they're so easy to break and I don't trust external services.

No need to trust the service, they don't have a record of your password. The only record of it is in your head. So if someone got your phone and/or the data, they can't do anything with it unless they have the password

[underscore]

Wait, what? I must be missing something here, does the password manager service not hold all your other passwords?

[SkinnyPupp]

Quote:

Originally Posted by underscore

Wait, what? I must be missing something here, does the password manager service not hold all your other passwords?

It holds them in an AES 256 bit encrypted file which is impossible* to crack with a strong key. They don't hold the key itself though, you do. So unless you give up that key, the file is safe.

*nothing is literally impossible but it is effectively impossible until quantum computing hits it big I guess

There's a good post about it here. They use 128 bit as an example, and using a 10.51 Pentaflop supercomputer, it would take 1 billion billion years. If I'm correct, that looks like this: 1,000,000,000,000,000,000 years. The universe itself is 13,750,000,000 old.

Another good example from that page. If everyone in the world had 10 supercomputers that are faster than any computer anyone can possibly have, and they spent 24 hours a day cracking one key with those 70 billion supercomputers, it would take about 77,000,000,000,000,000,000,000,000 years to crack that one key.

Again, these examples are for 128 bit. 256 bit would be about 9 times more... so 9 billion billion years

[underscore]

Right, but if your key is compromised then the level of encryption becomes moot.

I've had to look into the pains of brute forcing your way through encryption recently when a PC was hit with CryptoLocker, ransomware that encrypts your files and demands $500 for the key. The complexity of getting through is certainly interesting.