Thank you for using Codebook and posting to the discussion forum with this question. I’ll be happy to help.
If sites I visit have log4j vulnerabilities, could a malicious intruder use that to steal my password from that site?
The log4j vulnerability doesn’t give direct access to steal passwords from a service, but it can be used to compromise the service as a whole and therefore gain access to your sensitive data/passwords.
Because of this, I can’t really provide you with a blanket yes or no answer to this question. Instead I’d like to call out that inputting/storing your password with a service is dependent on the service’s security. This has always been the case prior to the log4j vulnerability. For example, if a service decides to use poor security measures and store your password in plain text in a database which isn’t protected, then your password is almost definitely compromised.
Some services may have already patched the log4j vulnerability, whereas others might not patch it in the near future, aren’t even aware of it, or weren’t susceptible in the first place.
The Password Review feature within Codebook can assist in determining whether specific passwords have been compromised. The Password Review feature available in Codebook for macOS/iOS: Codebook Help - Password Review This feature allows you to review whether your password has been leaked against a database of half a billion leaked passwords compiled by security researchers (further details in the link).
An improvement we’d like to make in the future for Codebook is to have a “Password Audit” feature which would check all your passwords/emails for if they’ve been compromised, potentially provide password weakness warnings, re-used passwords, similar passwords, etc. This is something that we’ve discussed and do have long term plans for implementing, but can’t comment on a time frame for when it would be available.
Our recommendation is to keep an eye out for emails from the services you use (they have a responsibility to disclose any breaches) and the the news. If breaches are reported, use the Password Review feature to determine if those passwords have been leaked (change the breached password even if they haven’t).
Please let me know if this answers your questions and if there’s anything else I can do to assist. Thanks!