Please, friends and neighbors, take the time to visit every web site and mail server where you authenticate with a password and change your passwords on every one of them. EVERY ONE OF THEM. Yes, every fucking one.
For web sites, after changing your password, go here and use the handy dandy tool to check to see if that site is still vulnerable to a Heartbleed attack. If it is, do not use that site upon which you just changed your password again until the same check comes back with a green okay result. Also, despite the fact that you’ve heard it a hundred times already, I’m going to say again: DO NOT, EVER, USE THE SAME PASSWORDS IN TWO DIFFERENT PLACES. It’s a pain in the ass to memorize passwords, so don’t even try. Use something like PasswordSafe to generate and securely store your passwords. Something that’s very handy about PasswordSafe is that you can poke a button within it to browse to a site whose password you’ve saved, and with its AutoType feature plug in the user name and password you’ve saved. It’s fast and easy. It’s what I do and I’m a lazy bastard.
If you’re using the Chrome browser, here’s a plugin you can install to automatically test the sites you visit for Heartbleed vulnerability.
Speaking of passwords: Use the ugly, impossible to remember passwords. Trust me. You might think that Zaq12wsx is a strong password, but I just copied it from the last password database I cracked. It also contains passwords like 4chickens, buddy55, mckinley82, simple18, Unicorn32, 0alibi, 23rdpsalm, 1hotmama, 6zebra5, b1anca, *power, 1jesusislord, John3:16, and others that the users probably thought good enough. I love the religious references — I always wonder if those users think that some god flying around in outer space loves him or her enough to miraculously protect a weak ass password. I got all of those passwords and a few hundred more in half an hour on my underpowered netbook. If I were to run the same application on the server that’s temporarily sitting behind me I’d get them about 15 times faster.
Oh: Those weak ass passwords in the list above? They came from an e-commerce web site where people use their credit cards to buy things.
Don’t use these because they’re published online as of right now, but here are some good ones for reference:
- 9vXY; [EDIT: WordPress changed this one. How odd. It’s not secure at all. S6>>6P5Y#CK7g3 is much better. :D]
The last one is actually more secure than the previous three.
Seriously now: Change your passwords at every web site where you log in with a password. EVERY ONE OF THEM! NOW!! You’ve been given fair warning. 🙂
This public service announcement brought to you by a freaky longhair who doesn’t want you to suffer impersonation fraud.