change all passwords post-Heartbleed

[chadwhitacre]

Reticketing from #2259.

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[chadwhitacre]

Including API keys.

[blrhc]

Has this all been done?

[chadwhitacre]

We have some passwords in LastPass and some not in LastPass. When did we sign up for LastPass? Was that before or after Heartbleed? That would at least take care of those.

[chadwhitacre]

First LastPass payment was on May 1, 2014. Heartbleed was April 7.

[chadwhitacre]

All passwords in LastPass were changed in October at the earliest. Is that after each vendor fixed heartbleed?

• DigitalOcean
• Gravatar (WordPress)
• Librato
• Mandrill
• MaxCDN
• Optimizely
• Pagerduty—not affected (also mentioned here)
• Piwik (Account Management)—???
• Piwik (Analytics Dashboard)—???
• Segment.io
• Sentry—???
• Transifex—???
• Typography.com—???
• UptimeRobot
• Wufoo

[chadwhitacre]

Ooh!

[chadwhitacre]

Gah. Worthless UX. 😞

[chadwhitacre]

Alright, so I guess the threat here is that a site we were using was compromised before they fixed Heartbleed, and our password was potentially stolen. We need to have changed the password after they fixed Heartbleed on any domains we login on. We can look at announcements from these services, but really we want to test the websites themselves that we provide our credentials to, and really not just the ones we provide credentials to, but any provided by the vendor (e.g., www.librato.com and metrics.librato.com). How deep down the rabbit hole do we go? Far enough to satisfy ourselves that we're okay.

[chadwhitacre]

Really this should turn into an exercise in collecting all of the services we use and changing the password for all of them, a manual take on gratipay/inside.gratipay.com#159.

[chadwhitacre]

Steps:

• Change all passwords for services stored in LastPass.
• Enumerate all services not stored in LastPass and change passwords for them.
• Enumerate all services for which we have API keys and change the API keys.
• Enumerate all services with SSH keys attached and change the SSH keys.

[chadwhitacre]

Change all passwords that are in LastPass:

• DigitalOcean
• Gravatar (WordPress)
• Librato
• Mandrill
• MaxCDN
• Optimizely
• Pagerduty
• Piwik (Account Management)
• Piwik (Analytics Dashboard)
• Segment.io
• Sentry
• Transifex
• Typography.com
• UptimeRobot
• Wufoo

[chadwhitacre]

How deep down the rabbit hole do we go?

For example, what about individual user accounts for services like GitHub or Sentry? Are we going to require them to change their passwords on those services? Is that even possible for us?

[chadwhitacre]

Not in LastPass

Production

• Heroku
• GitHub
• Twitter
• DNSimple
• IWantMyName
• Facebook

Financial

• Ally
• Citizens
• New Alliance
• PayPal
• Balanced
• Stripe

Email

• Google (Apps, Plus)
• Freshdesk

[chadwhitacre]

User Model

Single User

• DigitalOcean
• Gravatar (WordPress)
• Librato
• Mandrill
• Optimizely
• Piwik (Account Management)
• Segment.io
• Typography.com
• UptimeRobot
• Twitter
• DNSimple
• IWantMyName
• Ally
• Citizens
• New Alliance
• PayPal
• Stripe

Multiple Users (bold = we actually have multiple users)

• MaxCDN
• Sentry
• Pagerduty
• Piwik (Analytics Dashboard)
• Wufoo
• Heroku
• GitHub
• Balanced
• Freshdesk
• Transifex
• Facebook
• Google+
• Google Apps

[chadwhitacre]

I believe I changed our WordPress.com account, but now signing in to Gravatar is broken:

https://twitter.com/whit537/status/581231371080900608

:-(

[chadwhitacre]

I believe I was able to change the Gravatar/WordPress password after all. I was able to access Gravatar and I changed the password (again?), which happens on WordPress.com. I'm now stuck in the same login loop as before. Maybe it's a cookie expiry issue or something?

[chadwhitacre]

Yeah, I can access Gravatar.

[chadwhitacre]

What should we do about accounts that have multiple users? We don't have control. For example, we can't force everyone who is a collaborator or owner on GitHub to change their GitHub passwords. Should we make an effort to get everyone to do that?

[kaguillera]

+1 We should at least try