An Open Letter to Web Sites Where I have a User Account (All 162 of You)

Dear Webmasters:

Congratulations on your new certificates. I'm very excited to change my passwords and all my security questions at each of your sites in the next few days… and to keep changing them every few months for the rest of all of eternity.

I know this "Heartbleed" thing has been a real drag for everyone, but in its wake can I ask for a few simple things moving forward? I think it's a pretty reasonable list:

1. I'd like to be able to use more than 9 characters in a password. I'm looking at you Discover. Is space on your server so dear that an extra dozen characters or so would kill you?

2. I'd like all special characters to be OK. Really, if I can type it on a computer keyboard, you ought to be able to deal with it. It's 2014. Do you realize that if I can use symbols and special characters, my password can be shorter and just as secure? An 11 character password made up of all available characters has the same 80-bit security as a 14 character password made up of only case sensitive alphanumeric characters.

3. I'd like to know up front what your particular parameters for acceptable password length and composition are. In other words, when you tell me "At least 7 characters/1 Number" it's of no use at all when I enter 30 characters, and then you tell me that's too many. And then I enter 24 characters and again you tell me that's too many. How about just telling me "at least 7 and no more than 20?" And whether or not "special characters" are OK. Thanks CVS. Changing my password with you was almost as much fun as playing Candy Crush, and just as challenging.

4. If I want to say that my mother's maiden name was "0(jK1bBn," what's it to you? To me, it's better security than posting all kinds of personal information to be stolen by hackers the next time you leave the hen house open. Just like having a different password at every site, I kind of like too have different security question answers as well.

Finally, maybe think about not hiding the "sign out" button in a different place on every single site. If I want to play "Where's Waldo," there's an app for that.

Sincerely yours,

Rob Falk

Annoyed By Facebook's Automatically Playing Videos?

Turn them off!

Just go to "Settings" (a little triangle in the upper right part of your window will open a drop down menu that takes you there) and look for "Videos" in the left column. (Mac users will need to use Chrome or Firefox to make the change. For unknown reasons, the "Videos" setting doesn't show up in Safari, although once you change the setting, it will work on all of your browsers.)

Make the change by clicking on "Videos" and choosing "Off"

Unfortunately, you'll need to make separate changes to your phone in order to stop the pesky buggers from running by themselves there, at least on Wi-Fi. Cousin Markie doesn't let us turn them off entirely, but at least they won't chew up your data.

Android Users: Open Facebook, open the left sidebar, and tap "App Settings."Check the "Auto-Play Videos on Wi-FI Only" box.

iOS Peeps: Open the "Settings" app, find "Facebook" (down below "Game Center") and then click on "Settings." Click the toggle next to "Auto-play on Wi-Fi Only" so that the toggle shows green.

Your Password WILL be Hacked. Not If, When. Fight Back.

Just this week, a well-meaning financial planner sent an email blast to advise his clients to change the passwords to all their web accounts, including the investment accounts that he managed. So far, so good… He suggested that his clients use a different password at each website (good.) Unfortunately, he suggested that they use a simple formula (horrible.) He wrote:

“I take the site name for example "gmail", capitalize the first letter, and then add "my own" 3 or 4 digit code, for example "1234" (but do not use this sequence as it is easy to break) . . . so applying the formula, the password would be "Gmail1234". Similarly, if I were to be using PenPal, it would be "Penpal1234" or "Pen1234.”

The problem with this approach, is this: If I’m a hacker and I manage to get hold of one of his usernames and passwords, for instance the aforementioned “Google1234,” I would immediately try the same username with “Amazon1234,” “Chase1234,” “Citi1234,” “UBS1234,” “Paypal1234,” etc., at those sites. How am I doing so far?

For a fascinating (and depressing) explanation of why this method of password management is only a tad better than just going with “qwerty” at all of them, read Why passwords have never been weaker—and crackers have never been stronger at ars technica. It’s long and complicated. (And it's a couple of years old, meaning the situation is worse now.)

If you don’t care to dive in, then let me summarize: the guys who are cracking passwords are smarter than you are. They are using supercomputers, and can cycle through 6.2 billion combinations of letters, numbers and characters every second. They are working off of a dictionary of more than 60 million words. Every time a web site is hacked and a list of passwords is obtained, the hacking world gains even more knowledge of the passwords we use and how we use them.

This is what it’s come down to: Given enough time, your password will be hacked. All you can do is make it take long enough that you have reasonable time to keep changing your password before it is hacked.

Every one of your passwords needs to be randomly generated by a computer, and have a minimum of nine characters to make brute-force cracks infeasible. You need to change them all every three or four months.

Now is also the time to enable two-factor authentication at every website that offers it. With two-factor identification, even if someone succeeds in hacking your password, they won't be able to log in to your account from a device that you haven’t already approved. The log in won’t be allowed until after you receive a text message on your cellphone with a code, which must then be entered in addition to the password. An excellent list of sites offering two-factor authentication is found here. And remember, as good as two-factor identification is on the sites that have it, it does nothing to prevent that hacked password from being used at another site that doesn't have two-factor protection. Which is why, class repeat after me, "we use a different complex random password at every single site."

These Sites Don't Use SSL and Were Never Vulnerable to Heartbleed

According to data found at the Washington Post, the following is a list of 512 websites that are not vulnerable to the Heartbleed bug as of 12:00UTC, April 8, 2014. These websites don't use SSL and so they were never vulnerable to the Heartbleed bug. Nonetheless, it would not be a bad idea to change all your passwords. Save this list for last :-)

0427d7.se

104.com.tw

163.com

17ok.com

2345.com

24h.com.vn

2ch.net

360.cn

39.net

4399.com

51fanli.com

55bbs.com

58.com

6.cn

6park.com

9gag.tv

abc.es

about.com

abril.com.br

accuweather.com

addmefast.com

adnxs.com

adscale.de

adultfriendfinder.com

aili.com

airtel.in

aizhan.com

akamaihd.net

alarabiya.net

alibaba.com

aliexpress.com

alipay.com

all-free-download.com

allegro.pl

allocine.fr

allrecipes.com

almanar.com.lb

altervista.org

amazonaws.com

ameblo.jp

ancestry.com

anyoption.com

aol.com

aparat.com

apple.com

appledaily.com.tw

as.com

ashleyrnadison.com

ask.com

ask.fm

asos.com

autohome.com.cn

avg.com

awesomehp.com

azlyrics.com

b5m.com

babycenter.com

babylon.com

babytree.com

backpage.com

baidu.com

bankmellat.ir

baomihua.com

behance.net

bestblackhatforum.com

bestusefuldownloads.com

bet365.com

beytoote.com

biglobe.ne.jp

bild.de

bing.com

bitauto.com

blackhatworld.com

blogfa.com

bongacams.com

bp.blogspot.com

brainyquote.com

businessweek.com

buzzfeed.com

ca.gov

caijing.com.cn

cam4.com

canadaalltax.com

cbc.ca

cbs.com

cbsnews.com

cbssports.com

ccb.com

ce.cn

chexun.com

china.com

china.com.cn

chinabyte.com

chinanews.com

chinatimes.com

chinaz.com

chip.de

ci123.com

citibank.com

citrixonline.com

cj.com

ck101.com

clicksvenue.com

cloob.com

cloudfront.net

cnet.com

cnn.com

cntv.cn

cnzz.com

coccoc.com

codecanyon.net

comcast.com

comcast.net

commentcamarche.net

corriere.it

coupons.com

cpmterra.com

cy-pr.com

dailymail.co.uk

dantri.com.vn

daum.net

dealshark.com

dell.com

delta-homes.com

delta-search.com

digikala.com

directrev.com

dmm.co.jp

dmm.com

dmoz.org

doorblog.jp

douban.com

drtuber.com

drudgereport.com

dubizzle.com

eastday.com

eastmoney.com

eazel.com

ebay.co.uk

ebay.com

ebay.com.au

ebay.de

ebay.fr

ebay.in

ebay.it

echo.msk.ru

ehow.com

elmundo.es

elpais.com

eluniversal.com.mx

enet.com.cn

engadget.com

eonline.com

ero-advertising.com

espncricinfo.com

espnfc.com

etao.com

exoclick.com

expedia.com

eyny.com

facenama.com

farsnews.com

fastdailyfind.com

fatakat.com

filehippo.com

firstpost.com

fishcod.com

flipora.com

foodnetwork.com

forbes.com

force.com

forexfactory.com

forobeta.com

foxsports.com

gamefaqs.com

gamer.com.tw

gap.com

gateable.com

gazeta.pl

gazeta.ru

gc.ca

getbootstrap.com

gismeteo.ru

github.io

globo.com

gmw.cn

gmx.net

go.com

goal.com

godaddy.com

goo.ne.jp

goodgamestudios.com

google.cn

googleusercontent.com

gotomeeting.com

graphicriver.net

gsmarena.com

gulfup.com

gumtree.com

haber7.com

haberler.com

haberturk.com

habrahabr.ru

hao123.com

hdfcbank.com

hindustantimes.com

hm.com

homedepot.com

homeway.com.cn

hongkiat.com

hotels.com

howstuffworks.com

hstpnetwork.com

huanqiu.com

hubspot.com

hudong.com

huffingtonpost.com

hupu.com

hurriyet.com.tr

hypergames.net

ibm.com

icicibank.co.in

icicibank.com

icloud.com

idnes.cz

ifeng.com

ig.com.br

ign.com

ikea.com

ileehoo.com

imagebam.com

imdb.com

iminent.com

immobilienscout24.de

in.com

independent.co.uk

india.com

indiamart.com

indianrail.gov.in

indiatimes.com

infobae.com

internethaber.com

intoday.in

iqiyi.com

irctc.co.in

irs.gov

it168.com

jd.com

jimdo.com

jobrapido.com

joomla.org

jqw.com

jrj.com.cn

justdial.com

kakaku.com

kayak.com

keepvid.com

keezmovies.com

kijiji.ca

kioskea.net

klikbca.com

kompas.com

kooora.com

ku6.com

lady8844.com

lanacion.com.ar

latimes.com

leboncoin.fr

lenta.ru

lequipe.fr

libero.it

linkbucks.com

linkedin.com

linksynergy.com

linkwithin.com

linternaute.com

live.com

livedoor.com

livejasmin.com

liveleak.com

livescore.com

loading-delivery1.com

mackolik.com

mama.cn

mapquest.com

marca.com

marketwatch.com

match.com

mbc.net

mediaset.it

mercadolibre.com.ar

mercadolibre.com.mx

mercadolibre.com.ve

mercadolivre.com.br

merdeka.com

microsoft.com

microsoftonline.com

mihanblog.com

milanuncios.com

milliyet.com.tr

mirror.co.uk

mlb.com

mmbang.com

mobile.de

mobile01.com

moneycontrol.com

monster.com

movie4k.to

mp3skull.com

msn.com

myfreecams.com

mynet.com

mysearchresults.com

myspace.com

mywebsearch.com

narod.ru

naver.com

naver.jp

ndtv.com

netflix.com

newegg.com

nhl.com

nicovideo.jp

nih.gov

nikkei.com

nokia.com

nordstrom.com

novinky.cz

nownews.com

nuvid.com

nydailynews.com

nytimes.com

olx.in

oneindia.in

online.sh.cn

onlinesbi.com

opensiteexplorer.org

optmd.com

orange.fr

orf.at

outlook.com

over-blog.com

overstock.com

ovh.net

p5w.net

pantip.com

pcbaby.com.cn

pcgames.com.cn

pchome.net

pcmag.com

pconline.com.cn

pcpop.com

people.com

people.com.cn

persianblog.ir

peyvandha.ir

photobucket.com

pinimg.com

pixnet.net

porn.com

postimg.org

pravda.com.ua

premierleague.com

primewire.ag

qinbei.com

qq.com

qtrax.com

qvo6.com

rakuten.co.jp

rakuten.com

rbc.ru

realtor.com

rednet.cn

reference.com

renren.com

repubblica.it

retailmenot.com

reverso.net

ria.ru

rutor.org

rutracker.org

sahadan.com

sahibinden.com

sakura.ne.jp

samsung.com

sberbank.ru

screencast.com

searchenginewatch.com

searchfun.in

secureserver.net

sex.com

shareasale.com

shutterstock.com

sina.com.cn

sky.com

skype.com

skysports.com

slideshare.net

smh.com.au

snapdeal.com

snapdo.com

so.com

sofanti.com

softonic.com

softpedia.com

soku.com

soso.com

souq.com

sozcu.com.tr

spankwire.com

speedtest.net

spiegel.de

staples.com

statigr.am

stockstar.com

streamcloud.eu

subito.it

subscene.com

sulekha.com

swagbucks.com

systweak.com

t-online.de

tabelog.com

tabnak.ir

tagged.com

taobao.com

target.com

theblaze.com

thefreecamsecret.com

thefreedictionary.com

theguardian.com

thehindu.com

themeforest.net

theverge.com

tianya.cn

timeanddate.com

tinypic.com

tmall.com

tokobagus.com

tomshardware.com

tradedoubler.com

tribunnews.com

trovigo.com

trulia.com

tube8.com

tudou.com

tukif.com

twimg.com

twitch.tv

twoo.com

ucoz.ru

udn.com

uimserv.net

uol.com.br

urbandictionary.com

usatoday.com

usps.com

v1.cn

varzesh3.com

vcommission.com

verizon.com

verizonwireless.com

vesti.ru

video-one.com

vimeo.com

viralnova.com

virgilio.it

vnexpress.net

w3.org

w3schools.com

walmart.com

warriorforum.com

washingtonpost.com

watchseries.lt

weather.com

webmd.com

webmoney.ru

webs.com

website-unavailable.com

weibo.com

welt.de

wikihow.com

wix.com

wmtransfer.com

wordreference.com

worldstarhiphop.com

wow.com

wp.pl

wunderground.com

xcar.com.cn

xgo.com.cn

xinhuanet.com

xnxx.com

xunlei.com

xvideos.com

xywy.com

y8.com

ya.ru

yac.mx

yahoo.co.jp

yaolan.com

yesky.com

yoka.com

youboy.com

youjizz.com

youku.com

youth.cn

youtube-mp3.org

youyuan.com

zappos.com

zimbio.com

zol.com.cn