Breadcrumb Trail:

Re: SSL Heartbleed Bug?

Long Member's avatar User  Long Member  (Opens a pop up layer) Frequent Contributor

The external website https://filippo.io/Heartbleed/#www.usaa.com used to test for ONLY the hearbleed security is NOT a full security assessment.

 

 

A FULL LEVEL website security test is publicly available for free at:

 

https://www.ssllabs.com/ssltest/index.html

 

Just input the full website name and click on submit. 

 

The website is run by http://www.qualys.com/.

 

 

A vast array of hundreds of key details are tested and reported back to you, along with a "quality" letter grade at the top of the report.

 

Try inputting other websites and see what this well known web security company says about them.

 

 

You will be very surprised at what "quality" of security levels is out there on many other websites.

Highlighted

CURRENT STATUS: SSL Heartbleed Bug

[ Edited ]

WEBSITE GURU's avatar User  WEBSITE GURU  (Opens a pop up layer) Prestigious Contributor

heart-bleed.png

 

Everyone;

 

Here is a UPDATE to my earlier reply posted here.

 

1. USAA Member Concerns (Now Answered):

 

  • When was the new SSL Certificate (Private Key) updated?
  • ANSWER (Via Update to News Posting here):  Although we have no indication that our security certificates have been compromised, we have obtained new certificates for usaa.com. We replaced the old certificates in the early hours of Sunday, April 13, and the new certificates today show a valid date of April 10, 2014 and an expiration date of April 12, 2015.
  • When was the old SSL Certificate revoked? (See ANSWER above).
  • When will USAA allow more than12 characters in Password. (See my earlier reply in a posting above).

2. IMPORTANT:

 

  • If you haven't done so already, it should be safe to change your passwords, if you so desire.

3. This will be my last update on this subject.

 

Keeping Everyone Informed

 

Re: CURRENT STATUS: SSL Heartbleed Bug

nerdmatt's avatar User  nerdmatt  (Opens a pop up layer) Contributor

2 points of input from a web developer's perspective:

 

1) 12 characters is perhaps a "sufficient" length for passwords...for now.  It is by no means future-proof, though.  I also question why the limit is imposed in the first place; most modern hashing algorithms aren't affected by length.  I for one want my passwords to be at least 20, if not 30+ characters, regardless of multi-factor authentication methods.  When it comes to banking, insurance, and investments, you can never be too careful...surely you must know this.

 

2) If you're going to insist on limiting our password length, PLEASE do users a favor and tell us on the password-change screen...don't just lop off our input.  I use a password manager that generates long, secure passwords, and trying to paste a password in fails because it's longer than the accepted input.  Not knowing how long the password can be forces me to count characters and guess.  I have a huge pet peeve about good UX, and simply imposing the limit and not telling your users is not good UX.

 

Thanks,

-- Matt

Popular Topics
Close Pop-up