Loading...
  OR  Zero-K Name:    Password:   

SHAttered, Cloudbleed

10 posts, 741 views
Post comment
Filter:    Player:  
sort

7 years ago
Looks like today was an interesting (and scary) day in terms of internet security.

Google published the first SHA-1 collision. This, for example, makes it possible to create two pdf documents (also applies to other file types) that will look identical to a service comparing them based on the SHA-1 hashing algorithm, but can have entirely different contents. Somebody could get you to "agree" to a completely different contract than you see.
SHA-1 has been declared obsolete since 2011, but it's still widely used. However, this vulnerability is nothing compared to the second one.

Unrelatedly, Google found that CloudFlare servers are leaking memory into the world, containing anything from IPs over URLs and headers to plaintext passwords. Worse, it could be from traffic on completely unrelated domains.

Any interaction you had with anything using CloudFlare (that's *over 4 million domains*) between 2016-09-22 and 2017-02-18 may have ended up in someone else's hands.
It is unlikely but definitely possible that a password you typed into any of those websites using CloudFlare is now out there. Given the extensive list of their customers, you should probably change your passwords (unless you like to live dangerously).
+4 / -0
Now is a good time to point out that if you aren't using a password manager/vault, you're nuts.

I recommend lastpass. It is encrypted in their storage (I.E. the cloud has no access to your data (meaning that if you lose your master password you're 100% fucked)) and has a fantastic app and chrome extension.

There are other managers like dashlane and if you like painful interaction and low portability, keepass.

Essentially every site that you use should have a different password and you should not know that password (this is the whole point of using a vault. For example, by default I use 32 character passwords for every site that allows that many characters (a lot of times I have to dumb down to 16) and they look somehting like: TnyIqar0T98!KpfzOt#0Ltk#1BhLrL&6

Do eeeeet now. Then, when you see news like this, you can shrug and say, "Oh, that's interesting."
+0 / -0

7 years ago
ive used the same password for about 14 years, and what?

noobdy hacked me yet mofo
+5 / -0
I'm not convinced by password managers. Especially due to uni, I frequently have to log in 1) on random devices 2) into online or offline accounts 3) potentially with or without USB access. I mean, could I even log into a university PC (windows logon) using a password manager?

I just don't see it being practical, and for now I'm taking convenience over the fact that somebody could figure out access to some of my accounts by cracking one of the passwords offline and having a human look at the pattern.

I mean, in practice there are many other things to consider:
- When a security camera (not uncommon in PC cabinets) sees you typing your master password, you're fucked.
- Even typing with somebody watching from across the room can be enough for them to catch most of your password.
- Physically losing your device(s) leaves you boned.
- https://xkcd.com/538/
- 2FA is very solid (unless some criminal organization targets you specifically, but then see above).
+2 / -0

7 years ago
Also https://xkcd.com/936/
+1 / -0

7 years ago
Looks like they should've used SHAdowfury256 instead.
+1 / -0


7 years ago
You need at least 333 bits for that algorithm.
+2 / -0


7 years ago
quote:
https://xkcd.com/936/


We have a winner! Use this method, including the page you are signing up for in the password to make it contextual for each website.

Eg.

ZeroKLongLongLongPassword

FacebookLongLongLongPassword

PronhubLongLongLongPassword

All the security you ever need. Your primary email password should be changed regularly ofc.
+0 / -0

7 years ago
The key is to use different passwords for different sites, particularly for the important ones (such as email/banking). Too many shitty sites with bad security.
+1 / -0

7 years ago
unsigned long long password;
+5 / -0