Disclaimer : This blog post will be long and full of technical information! It is interesting and informative, but long and very technical - read at your own risk.
As many of you might have heard, a rather serious security breach was found on what was believed one of the most secure protocols in existence. I'm talking of course about the infamous "heart bleed" bug. I do wish to clarify one thing, the "heart bleed" in itself is not a form of attack, but rather a bug - a rather serious one in the engine of the famous cryptographic software library - openSSL. The bug in itself allows the the abuser of the bug to retrieve more information from the server than he is entitled to. To explain a little, imagine a world in which when I asked you a question, I had to to tell you how many characters you response should hold, and you were bound to answer that exact amount of characters, even if the answer to my question had less than that. Now normally if I asked to retrieve a string of information that I know in advance is 50 Characters, but I tell the server that I'm expecting 51 characters, the server would drop the request as the information request would be suspicious.. But what if some bug caused the server not to verify the length? The server would simply give me all 51 characters, or 500 or however many characters I'd request - Basically I could get the Entire server dump from any page that used open SSL! That is in essence the bug that is referred to as "heart bleed". For more information, you can follow this link.
Now that you all know a bit more about it, It's time to relax you all a little, I've spoken to Juvix, our security is not compromised as the SSL solution we use is not subjected to the "heart bleed" bug so our information along with your passwords, eMail addresses, messaged and everything else on the website is safe and sound! That said, having a secure password is always useful and helpful, not only for you but for the entire community, and I think that it's only fair that I told you how it worked . Most servers stores the passwords in an encrypted form using a one way encryption key. One way encryption basically means that the key used to encrypt the string will not decode it correctly - Truth be told, in most cases, it can't be decoded at all! That is why most servers allow you to change the password if you forgot it, but not to simply retrieve it. The Authentication is done in the following matter:
With all the previous information at hand there is always the risk of reverse engineering - basically engineering a key that would take the encrypted string and decode it, or some of it. To make it harder to decode there are some rules that can help you create a password this is extremely hard to decode.
You can check the strength of your password here.
Excellent article - Thanks for the publication Davsank!
Good article. It explains a technical issue in a very understandable way.
Thanks!
maybe I'm just more technically minded than the average bear, but this didn't seem overly technical at all to me - and even then anything they don't get should be fairly easily googleable
-amazing article
Another tip for passwords is longer is always better than complex because of the nature of brute forcing. It's also much easier to remember a sentence than a random string of letters and numbers.
LastElf, bruteforcing is no longer an effective password hacking tool, haven't been for the last couple of years, wnd while I agree a longer password is harder to decode, having a simple password is a security breach waiting for happen, no matter how long. Having a long AND complex password is the best way to go.. don't forget though, at LEAST 8 characters :)