*Now that (some of) everybody's passwords may have just been compromised due to the #heartbleed SSL ("https://...") bug*
in the widely used OpenSSL open-source security suite used by the majority of Apache/nginx Web servers (60%+ of all servers)...
(a lot of technical, etc. details curated over here:plus.google.com/112964117318166648677/posts/MZ3jtiVm591
... it is probably time for EVERYONE to review their #security procedures (hold off on changing ALL of your passwords however UNTIL
you've ascertained that all the services you use have been fixed! Many have been by now...), and that starts with passwords:
The bad news, as you will understand from reading the great, medium -length post from famed Security Expert Bruce Schneier (he recently spoke at >>> #trustycon
), which you really owe to yourself to read in full if you care about anything... is that ALL passwords that can be somewhat remembered by humans are vulnerable,
and all others you keep forgetting weekly/monthly/etc. without writing them down.
Which is also a terrible security practice. So what's the solution? You need to use a global Password Manager of some sort, and then use a completely random password for EACH service that you could never remember on your own.
(I wouldn't even trust the "random" starting letters of words from a phrase known only to you approach he mentions here, because that could probably be attacked with a "dictionary-style" attack as well before long.
Note the sophisticated existing dictionary/combination attacks including most languages known to wo/man and things like L33T-speak that allow skilled attackers to get up to 90%(!) of exisiting passwords once a user/password database is compromised.
And lest you think that Two-Factor Authentication - "2FA" - makes everything OK, keep in mind that SMS text message and similar channels could also be subject to breach.)I have long resisted this approach myself,
thinking that I had a clever enough system of passwords varied for each service that I could still remember... but now that due to Heartbleed everything is on the table and up for review, I am going to bite the bullet and get it set up as described above.
Here are a few places to start (not an endorsement, do your own homework):
For Windows users, this may be a very good free/open-source option:www.schneier.com/passsafe.html
Sadly no free Mac version (there is a $15 paid one), but there is a free Android version that I will test (carefully, with 1 or 2 minor services at first!) in the coming days:play.google.com/store/apps/details?id=com.jefftharris.passwdsafe
Then there are the many Usual Suspects of LastPass, 1Password, asf., a pretty good list is mentioned on this Twitter thread:twitter.com/balajis/status/454113593701588992
Among it this new entrant who's security model I am studying right now, but which sounds good so far, and which has a free version:www.dashlane.com/security
Also potentially interesting open-source/free:
keepassx / www.keepassdroid.com/
/cc +David Wood +Alexander Becker +Dan Durrant +Thomas Baekdal +Paul Simbeck-Hampson +Brett Legree +Eli Fennell +Steve Faktor +Sandy Fischler +Gunther Sonnenfeld +Jeff Sayre +John Blossom +John Kellden +Gaythia Weis +Kee Hinckley +Gregory Esau +Rob Salzman +Reg Saddler +Gideon Rosenblatt