Jump to content

Time to change your passwords! Yes, all of them. This one too.

Inigima

By Inigima,
in General Chatter

Recommended Posts

Inigima Council Member

Inigima

Posted
Posted

Great news everyone! Cloudflare screwed the pooch. You may or may not know that Cloudflare is a caching service that tries to serve you a snapshot of websites even when they're down, which means that a whole shitload of sites use it. You may also remember that this site uses Cloudflare, which is very stupid, because a cached screenshot of a web forum is useless because it's constantly changing! Hooray!

The upshot: Every account you have on every website that uses Cloudflare is potentially compromised. Nobody can keep track of what uses Cloudflare and what doesn't, so you should probably change every password everywhere. Even if you use a password manager, because that isn't going to help you here. 2-factor authentication is still helpful, but you may want to change passwords anyway, especially if you use non-unique passwords anywhere you care even a little bit about.

Here is a fairly readable Gizmodo article on the leak: http://gizmodo.com/cloudbleed-password-memory-leak-cloudflare-1792709635

Here is a bunch of lists of affected stuff, but realistically you aren't going to get through a 68MB text file: https://github.com/pirate/sites-using-cloudflare

Link to comment
Share on other sites
Starkess Council Member

Starkess

Posted
Posted

Dammit. I hate hate password management and am far lazier about it than I know I ought to be. I suppose this is as good a time as any to finally get around to changing some of those weak ones I've had for 10+ years...

Link to comment
Share on other sites
zelticgar Council Member

zelticgar

Posted
Posted
2 hours ago, Inigima said:

Great news everyone! Cloudflare screwed the pooch. You may or may not know that Cloudflare is a caching service that tries to serve you a snapshot of websites even when they're down, which means that a whole shitload of sites use it. You may also remember that this site uses Cloudflare, which is very stupid, because a cached screenshot of a web forum is useless because it's constantly changing! Hooray!

The upshot: Every account you have on every website that uses Cloudflare is potentially compromised. Nobody can keep track of what uses Cloudflare and what doesn't, so you should probably change every password everywhere. Even if you use a password manager, because that isn't going to help you here. 2-factor authentication is still helpful, but you may want to change passwords anyway, especially if you use non-unique passwords anywhere you care even a little bit about.

Here is a fairly readable Gizmodo article on the leak: http://gizmodo.com/cloudbleed-password-memory-leak-cloudflare-1792709635

Here is a bunch of lists of affected stuff, but realistically you aren't going to get through a 68MB text file: https://github.com/pirate/sites-using-cloudflare

Great.  I'll commence new password creation tonight.  

Ini - the reason a site like this would use caching is to improve performance. While it is true that much of the content is dynamic and constantly changing, websites can still gain performance improvements by caching some objects of a page such as header and sidebar content.  Typically services also combine content acceleration so they can  optimize paths of travel from origin to users by utilizing mapping to determine most optimal route availability in almost realtime. It's a small nit pick but these services are a critical component of why we are able to continue to scale the internet and obtain performance improvements.  Sorry for geeking out on this but had to bring that up.  

Link to comment
Share on other sites
Iskaral Pust Council Member

Iskaral Pust

Posted
Posted

Thanks Ini for the public service announcement. 

I've held off an a password manager because I can't install third party software on my work laptop, so I'd be unable to access any web account from my work laptop.  Such a nuisance.  I know, in theory, I should not be using my work laptop for my personal web use, but this includes online news subscriptions. 

Link to comment
Share on other sites
Inigima Council Member

Inigima

Posted
  • Author
Posted
9 hours ago, Xray the Enforcer said:

I changed everything that had sensitive personal or financial information. I'll wait for Cloudflare to post a list of breached sites to address those that do not have sensitive info.

It's every Cloudflare site -- the nature of the issue is that a page request for one Cloudflare site could, in some cases, return pages from any other Cloudflare site. Full list is here but it's a 68MB text file: https://github.com/pirate/sites-using-cloudflare

They also have the "top 10k affected sites, based on Alexa rankings" listing.

Link to comment
Share on other sites
AverageGuy Council Member

AverageGuy

Posted
Posted

 

17 hours ago, Robin Of House Hill said:

I'm hearing something bad, here.  The longer you keep a password, the greater the chance of someone obtaining it.  Change it routinely, and don't use the same password on different sites.

Kind of? Sites get hacked, and every now and then you hear about a site which stored passwords as plain text (though less so these days). That's more law of averages though. Unique passwords and changing does mitigate it.

If you switch between computers often or just don't want to use a password manager, go for a passphrase. For example, T0nyW@sR!ght`:x

Link to comment
Share on other sites
Iskaral Pust Council Member

Iskaral Pust

Posted
Posted
1 hour ago, Robin Of House Hill said:

Agreed.  A passphrase is the way to go.  Also password managers like Dashlane allow you to synch your passwords between computers, tablets and phones.

 

If you have administrator rights to use it on all those devices.  For me, moving between personal and work devices is the problem. 

Link to comment
Share on other sites
Robin Of House Hill Council Member

Robin Of House Hill

Posted
Posted
3 hours ago, Iskaral Pust said:

If you have administrator rights to use it on all those devices.  For me, moving between personal and work devices is the problem. 

There would be a secure way to do it, if you could get the password manager installed on the work devices and set so that it required entry of the master password each time it was used, but that would mean letting the boss know you were using the work computer for personal business.

Link to comment
Share on other sites
AncalagonTheBlack Council Member

AncalagonTheBlack

Posted
Posted
Quote

You can check out a list of Cloudflare customers to see if websites you use might be affected by the leak — but keep in mind that not all of Cloudflare’s clients were affected. Because of the way Cloudflare’s code was configured, the leak was at its worst for less than a week, when 1 in every 3,300,000 Cloudflare requests might have caused leakage. As Cloudflare notes, that’s just 0.00003% of requests.

This story has been updated to clarify that authentication credentials but not passwords have been found in leaked caches

https://techcrunch.com/2017/02/24/how-to-secure-your-data-after-the-cloudflare-leak/

Quote

You can also use the tool DoesItUseCloudflare to check on specific sites. And if you’re looking to invest a little time into your internet security to make it easier when the next security fiasco happens, try a password manager.

ETA:

another site to check if specific sites you visit use CloudFlare - https://cloudbleedcheck.com/

Link to comment
Share on other sites
Mlle. Zabzie Council Member

Mlle. Zabzie

Posted
Posted
17 hours ago, Robin Of House Hill said:

There would be a secure way to do it, if you could get the password manager installed on the work devices and set so that it required entry of the master password each time it was used, but that would mean letting the boss know you were using the work computer for personal business.

What I like about Dashlane is that since it synchs to my mobile, I can use the dashlane app on my mobile as a password keeper.  Then, when I want to use on a work device I can access the password on my mobile and then type it in on my work computer as necessary.

Link to comment
Share on other sites
aceluby Council Member

aceluby

Posted
Posted
On 2/25/2017 at 5:34 PM, AverageGuy said:

 

Kind of? Sites get hacked, and every now and then you hear about a site which stored passwords as plain text (though less so these days). That's more law of averages though. Unique passwords and changing does mitigate it.

If you switch between computers often or just don't want to use a password manager, go for a passphrase. For example, T0nyW@sR!ght`:x

Passphrases are definitely the way to go, but the benefit from them is due to the length, not special characters.  @ for a, $ for s, ! for i, 0 for 0, etc... are very common substitutions that are used in brute force & combination attacks.  The best passphrases are actually 3-4 random words, like windowgarbagebuilding.  That passphrase is exponentially more difficult to crack than a shorter one with crazy characters, numbers, and a mix of capitals and lowercase.

The problem though is many systems don't support passwords longer than 12-15 characters, which IMO is a HUGE flaw in many sites security.  They think it's ok because they forced to you start your password with a capital and end it with a 1.  This is a big pet peeve of mine.

Link to comment
Share on other sites
Robin Of House Hill Council Member

Robin Of House Hill

Posted
Posted
17 hours ago, Mlle. Zabzie said:

What I like about Dashlane is that since it synchs to my mobile, I can use the dashlane app on my mobile as a password keeper.  Then, when I want to use on a work device I can access the password on my mobile and then type it in on my work computer as necessary.

True, but android phones get an advantage iPhone users don't  On an android phone you can use the Dashlane browser, much as you do on a computer with a plugin for your browser.  Not available on iPhone, where you have to copy and paste.

Link to comment
Share on other sites
Mlle. Zabzie Council Member

Mlle. Zabzie

Posted
Posted
34 minutes ago, Robin Of House Hill said:

True, but android phones get an advantage iPhone users don't  On an android phone you can use the Dashlane browser, much as you do on a computer with a plugin for your browser.  Not available on iPhone, where you have to copy and paste.

Fair enough.  I'm not allowed to use android for anything work related.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...