Your are viewing a read-only archive of the old DiS boards. Please hit the Community button above to engage with the DiS !
This seems like a big deal.
Change your passwords.
Subquestion: have any of you been the victim of identity fraud / bank account hacking etc?
twice in the last few years. Got noticed really early on by the bank(s) both times, with full refunds, mercifully.
I hadn't applied the most recent security update, and ended up with a Sainsbury's redirect: they picked up the bank details as I was doing online shopping.
these tips are kimdof impossible to follow
Don't choose one obviously associated with you
Hackers can find out a lot about you from social media so if they are targeting you specifically and you choose, say, your pet's name you're in trouble.
Choose words that don't appear in a dictionary
Hackers can precalculate the encrypted forms of whole dictionaries and easily reverse engineer your password.
Use a mixture of unusual characters
You can use a word or phrase that you can easily remember but where characters are substituted, eg, Myd0gha2B1g3ars!
Have different passwords for different sites and systems
If hackers compromise one system you do not want them having the key to unlock all your other accounts.
Keep them safely
With multiple passwords it is tempting to write them down and carry them around with you. Better to use some form of secure password vault on your phone."
it's such a fucking hassle though
two old car numberplates. Less successful for personalised numberplates
then good luck to them
I can't even remember my current car numberplate
QUICK!!! EVERYONE CHANGE ALL YOUR PASSWORDS NOW!!!
blah blah blah
bottom of the page: "low to medium risk"
during the authorization process, then again I don't know what's going on, on the rails side so I could be chattin' breeze.
It does mean your password is sent unencrypted, but that's all
would be a reason for DiS to use SSL?
But DiS doesn't take payments or sensitive information, and doesn't promise any kind of security.
I personally would never expect my login details to be secure on a site like this.
we just don't need https:// stuff.
but they're transmitted from the user's browser to your server unencrypted. Encrypting that transmission is where HTTPS would come in.
But I agree that you don't need it.
talking about this cunting virus cunt, even the cunting BBCuntingC this cunting morning.
So do you cunting think I should cunting well change my cunting passwords? Have you cunts?
Changing them does not solve the problem so it is pointless for now.
Only true if the servers haven't been fixed, and all "big name" services will have done this by now.
Fixing the servers prevents further exploits, but unless you are sure that their encryption key was not compromised changing your password would do nothing to protect you.
Until you are sure that this has also been done for the specific website you use, you can't know that your details will then be safe
Don't need a fancy tool, can just use your browser
eg Yahoo changed theirs 2 days ago
I don't think checking this is quite the surefire guarantee you suggest, and most users would not know to check that anyway. Some people will have already changed their passwords too soon, thinking they are safe and yet still be vulnerable. No harm in changing your passwords of course, but ideally each website should be proactive in keeping their users informed.
So even if they were compromised, they can't be used any more. It doesn't prove that they've patched openSSL, but changing the certificates without having sorted the root problem first would be bonkers.
I totally agree that sites should be keeping users informed - considering that this exploit made it past nerd-news into normal news, I'm surprised that I haven't had an email from places like Facebook and Twitter advising if anything needs to be done. I've had *one* email from a webservice and it basically just said "we never used openSSL so no problem for us".
It's an exploit.
You should change your passwords for important things, especially if you use the same password/email combination across many services.
The data that the exploit returns is random, but it could be an email address/password combination, the attacker could then try to use on other sites.
Use a unique password for email, banks and paypal.