I didn't know this existed! Just the other day I was wishing that this existed, and it turns out it already does.Watchtower identifies website vulnerabilities and alerts you when one is found. Website vulnerability information is refreshed daily to verify items in your vault. 1Password downloads the information and checks it locally against your Logins. Watchtower will list Logins associated with sites which have (or had) known vulnerabilities.
Sadly, my list of passwords that should be changed is of the "there goes my afternoon" magnitude.
When I read a news article the other day saying that Cloudforce thing meant that I had to change all my passwords right away, I was wondering if tech writers understood that changing credentials on 200+ sites doesn't just take five to ten minutes
Watchtower has been part of 1pw for a long time, it's a bit histrionic though. Any site alerts in there should be taken with a grain of salt.
They add domains even if there is the remotest chance of compromise which I guess is important if said Sites do not use 2FA.
Well it's not like "you should change this password" is ever bad advice.
Your password change party should start with 1Password.
http://venturebeat.com/2017/02/24/content-delivery-network-cloudflare-leaked-sensitive-data-across-the-internet-for-months/
Not really.
Also, while Cloudbleed is a ridiculously embarrassing indictment of Cloudflare's engineering and security practices, it seems really unlikely to me that it would have exposed passwords. The nature of the bug was that in some cases it would leak HTML source of random sites into random other sites' requests. I don't often see my password echoed back to me in plain text by the sites I visit.
It is a bit worse: https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
"HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data"
I haven't bothered changing all of my passwords yet either though.
Indeed - 1Password's security choices probably mean you're safe here in respects of 1Password itself, although I think they're over-confident (or pretending to be more confident than they are) about the real world security achieved by their approach in the face of an active adversary (rather than a Cloudflare bug).
For ordinary sites the only thing Cloudflare is sure they didn't leak is the stuff below the HTTP session, like TLS private keys, which was handled by separate hardware. Everything in the HTTP session ended up in one heap, and they were basically ladling random stuff off the heap into other people's request bodies due to the memory access bug they persist in misleadingly calling a "leak".
No, certainly not, but when you have 2000+ entries in there it can get a bit insane.
I've been using 1Pasword for a few years (thanks for recommending, jwz!) and I didn't know this existed either, until the email they sent out a couple days ago about the OSX snafu. Excellent. I only have a couple hundred passwords total, and none showed up in the 'change your password now' list, but I have way more duplicates than I thought.
PS Interesting that 1Password blogged full disclosure on what happened last week. Not many software houses do that, they mostly try to bury that info. How very Canadian of them (didn't know they were Canadian, either.)
Not Cloudflare's choice.
This was found by Tavis at Google. Google's policy (for severe security problems like this) is you have 7 days. Can't fix it in seven days? Too bad, use your seven days writing an obituary for your company / project / government agency / whatever. Tavis' notes for this item say Cloudflare's disclosure "severely downplays the risk to customers".
Speaking of password managers, both Lastpass and Dashlane can automatically change the passwords of websites.
It only works only with popular websites, but it comes handy after an incident like this.
Lastpass I find has a fairly low success rate at changing passwords on it's own and runs fairly slowly.
Same; I took it for a test drive against Dropbox, which I figured would be well supported, but it stalled out.
There's also https://haveibeenpwned.com/, but integration with your password manager is really nice.
I am so in love with 1Password it hurts
The only way to be sure your shit is right is to host your own password management tools.
In Rust?