This isn’t anything new by this point. Heartbleed has been around for a few weeks at this point. From what I understand this had been a zero-day vulnerability for a while being exploited by folks like the NSA.
But this isn’t a rant about that.
This is about changing passwords.
Lots of them.
One good thing that’s coming out of this is that I’m getting a lot more cognizant of my password usage.
Like most people, I started using the same password on a lot of sites when the internet was new. I had three different passwords mainly — my low, normal, and high security password. This was, unfortunately, spread far and wide.
Now I’m going through and auditing 600+ passwords that Lastpass is storing for me. Some of them are defunct. Some of them are already good. Some are in the long list of passwords that are the same over a bunch of sites.
…sigh…
I can say that my Lastpass master password was my high-security password. Now I have a new one of that too. This password then generated by pwqgen which, in turn, was inspired by XKCD. *
Back to changing passwords.
* – No, it’s not “correct horse battery staple”.
HA! Seeee! This is what I was just telling someone. I don’t trust these password managers.
No… you read it the wrong way. The password manager is what makes solving this even possible! What you need is every site to have a different, impossible to guess password. The chance of you remembering the passwords is zero, so you need a manager.
Why different passwords? So when one site gets compromised, which will eventually happen for one of them, all of the rest of your sites are still safe. If you shared passwords then getting your password on one would open up the rest of the sites to the attacker — even if other other sites were otherwise not leaking passwords.