password

Stem my bleeding heart

by
Screenshot of the Heartbleed web site

If you read tech news on the internet, then you will have almost certainly come across the Heartbleed bug. As well as being probably the first programming bug to have a logo and brand name, it’s also very serious. It affects, or affected, a significant number of web sites and web services – pretty much anything that used SSL or TLS and the OpenSSL library. This will include many sites using the open source Apache and nginx web servers, which between them account for a majority of web sites.

The Heartbleed bug was in the ‘heartbeat’ component of OpenSSL, and first appeared in a code commit made at around 11pm on New Years Eve 2011 – make of that what you will. The first stable release of OpenSSL with the bug came in March 2012, and it was only fixed relatively recently. It’s therefore estimated that 17% of the world’s web sites may be affected.

If you administer a server that uses OpenSSL, then you’ll need to make sure that you update to the latest version which fixes the bug. But you may also need to revoke your SSL certificates and acquire new ones, and, if you suspect any foul play, do a full security audit. You can check your server using this tool – I’ve verified that this site was never affected.

If you’re just a regular user of the internet, then you may notice that some web sites will have forcibly logged you out. Some may also require you to change your password, and possibly re-connect any third party apps linked to your account. IFTTT emailed me to suggest changing my password, and Pocket has advised its users to do the same. Ironically, so has the web site Should I Change My Password which notifies of data breaches. If you are not already, I would suggest using a password manager such as 1Password, RoboForm, Keypass or LastPass. LastPass users can also find out if any sites they use have been affected by Heartbleed.

Some security experts have suggested that users change all of their passwords, although only once the web sites have implemented their fixes. This may not be necessary and PayPal has said they were not affected by Heartbleed. However, if you’re not using strong, unique passwords for every web site then now may be a good time to do so, regardless of whether sites have been affected or not, and the aforementioned password managers will help you in that regard. A lot of sites will now accept passwords that are more than 20 characters long, with special characters, which should be very, very difficult to crack.

Unexpected plain text password in the bagging area

by

If you have a few spare minutes, have a read of this blog post by Troy Hunt regarding Tesco’s poor password security. Tesco, for the uninitiated, is the UK’s largest supermarket who also sells groceries online, and is presumably used by hundreds of thousands (if not millions) of British people.

Good password practice should mean that passwords are hashed, using a one-way algorithm, and ideally salted as well. Tesco claims its passwords are stored in an encrypted format, but presumably this is a symmetrical encryption method because if you forget your password, Tesco will email it to you, in plain text. Remember, email isn’t encrypted so anyone who is snooping your emails will be able to retrieve your password, and log in to your Tesco account.

What makes this worse is that Tesco doesn’t allow for particularly strong passwords, either. They have to be a maximum of 10 characters, and can only contain letters or numbers. Even worse is that passwords aren’t case sensitive, and top it off, the tesco.com web site uses very old versions of Microsoft’s IIS and ASP.Net, which are potentially more vulnerable to security attacks.

If you have a Tesco account, I’d therefore strongly suggest that you ensure the password you use is unique (this is good advice for any web site but especially applies here) and that you don’t store your credit card details with Tesco. If you don’t use Tesco anymore, then you could contact them to ask them to delete your account, citing fears about their security.

Of course, Tesco are far from being the only offenders here, and Plain Text Offenders collects various emails from web sites who will also send you your password in plain text.