Heartbleed Public Service Announcement

Please, friends and neighbors, take the time to visit every web site and mail server where you authenticate with a password and change your passwords on every one of them. EVERY ONE OF THEM. Yes, every fucking one.

For web sites, after changing your password, go here and use the handy dandy tool to check to see if that site is still vulnerable to a Heartbleed attack. If it is, do not use that site upon which you just changed your password again until the same check comes back with a green okay result. Also, despite the fact that you’ve heard it a hundred times already, I’m going to say again: DO NOT, EVER, USE THE SAME PASSWORDS IN TWO DIFFERENT PLACES. It’s a pain in the ass to memorize passwords, so don’t even try. Use something like PasswordSafe to generate and securely store your passwords. Something that’s very handy about PasswordSafe is that you can poke a button within it to browse to a site whose password you’ve saved, and with its AutoType feature plug in the user name and password you’ve saved. It’s fast and easy. It’s what I do and I’m a lazy bastard.

If you’re using the Chrome browser, here’s a plugin you can install to automatically test the sites you visit for Heartbleed vulnerability.

Speaking of passwords: Use the ugly, impossible to remember passwords. Trust me. You might think that Zaq12wsx is a strong password, but I just copied it from the last password database I cracked. It also contains passwords like 4chickens, buddy55, mckinley82, simple18, Unicorn32, 0alibi, 23rdpsalm, 1hotmama, 6zebra5, b1anca, *power, 1jesusislord, John3:16, and others that the users probably thought good enough. I love the religious references — I always wonder if those users think that some god flying around in outer space loves him or her enough to miraculously protect a weak ass password. I got all of those passwords and a few hundred more in half an hour on my underpowered netbook. If I were to run the same application on the server that’s temporarily sitting behind me I’d get them about 15 times faster.

Oh: Those weak ass passwords in the list above? They came from an e-commerce web site where people use their credit cards to buy things.

Don’t use these because they’re published online as of right now, but here are some good ones for reference:

  • \|+&>u6T:(Ab
  • 9vXY;    [EDIT: WordPress changed this one. How odd. It’s not secure at all. S6>>6P5Y#CK7g3 is much better. :D]
  • }”Cv32aNKY@~%,
  • i’llAlwaysRememberThisLongmotherfuckerOfAPassword,bitches!!!

The last one is actually more secure than the previous three.

Seriously now: Change your passwords at every web site where you log in with a password. EVERY ONE OF THEM! NOW!! You’ve been given fair warning. 🙂

This public service announcement brought to you by a freaky longhair who doesn’t want you to suffer impersonation fraud.

Advertisements

11 thoughts on “Heartbleed Public Service Announcement

  1. theinfiniterally

    Oh man. Gah. Thanks for this.

    I know this is bad, but I’m going to pretend I didn’t see this until the morning.

    Reply
  2. digitalgranny

    Oh hell again. This is why I got a mac, an iPhone and an iPad.
    Yawns, scratches back side and wanders off to bed.

    Reply
    1. happierheathen Post author

      Your data is at risk (or already compromised) no matter what operating system you use on your end of the wire. This bug affects not just web servers, but also mail servers, chat servers, pretty much anything you connect securely to on the internet. And, again, it doesn’t matter whether or not you are using fruity devices.

      Reply
        1. happierheathen Post author

          I’ve always figured that safety is an illusion, but I’m kinda weird that way.

          I’ve burned myself out with all of the hours I’ve spent updating software, rekeying SSL certificates, and so on since the announcement of this bug on Monday, and just spent the last four or five hours changing every darn password I’ve got for web sites and mail services. This is probably the nastiest bug ever to hit the internet, and it’s been out there for two years — with evidence of active exploitation going back to November. That’s not an indication that it wasn’t being actively exploited long before, though, as exploitation doesn’t actually leave evidence and that from November exists only because someone was sniffing network packets on his own server and saw it in real time. Governments and militaries, including our own, have large staffs of full time programmers whose only job is to review software to identify exploitable bugs that they can use for spying on people, and they don’t tell anyone else about the ones they find.

          Well, except for the fact that people talk, and there’s big money in selling unknown exploits on the black market… It’s time to change passwords everywhere you’ve got ’em.

          Reply

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s