GooberTheHat wrote:This might help https://github.com/musalbas/heartbleed-masstest/blob/master/top1000.txtSpoiler:
beano wrote:Everyone should two factor authenticate at this point.
mistercrayon wrote:I normally get xkcd but I have no clue what that means for my passwords
The Heartbleed bug has received a lot of news coverage recently and was also the topic of the previous comic 1353: Heartbleed. This comic explains how the bug may have been discovered and can be exploited to reveal a server's memory contents.
A hypothetical cracker Meg sends heartbeat requests to the server, the server responds to the heartbeat request by returning the contents of the body of the request up to the number of letters requested. The first two requests are well formed, requesting exactly the number of characters in the request body. The server's memory is showing Meg's request with many other requests going on at the same time.
The last request asks for "HAT" but requests that it be 500 letters long; the server — not checking if or simply unaware that 500 letters is larger than the request body — returns "HAT" plus 497 letters that happened to be next to the word "HAT" in its memory. Included are many sensitive bits of information, including a master key and user passwords. One of the passwords shown is "CoHoBaSt", a reference to 936: Password Strength, which suggests using "correct horse battery staple" as a password.
Often popular explanations of security bugs require the issue to be simplified a lot and to leave out a lot of details. In this case Randal didn't have to do much simplifying; the bug is actually that simple. Also, it should be noted that any client which can connect to the server typically can exploit this bug in the underlying OpenSSL software — the use of the term "User Meg" does not imply that Meg had to authenticate first.
The title text is a reference to Are you there God? It's me, Margaret. a novel by Judy Blume, and plays off of the "server, are you still there?" line in every panel where she did start a request. Meg can be a nickname for Margaret as well as Megan, which perhaps explains why the character's usual name, Megan, is abbreviated here.
beano wrote:https://haveibeenpwned.com/
https://pwnedlist.com/query
Check 'em. Then break yo'self fool!
Sorry, but I'm drinking OJ in the hood here.
It looks like you're new here. If you want to get involved, click one of these buttons!