I have been getting a lot of calls and questions about the Heartbleed security threat. I am sure you have been hearing about it on the news and on social websites. I decided that the best way to answer everyones questions was to put all of this Heartbleed mess into no techie terms and scare the crap out of you. Why would I want to scare the crap out of you? Because you absolutely should be scared.
What is Heartbleed and should I be worried?
This is the biggest security bug the internet has ever seen. Heartbleed is serious encryption flaw, that was recently discovered in a technology used on nearly 66% of the servers on the Internet to keep your username and password safe when you login to your accounts. In simple terms, when you login to a website on the internet your username and password is stored in the memory of the server while you are on that website. This flaw allows an attacker to retrieve small chunks of data from the memory of the server with which they are interacting. Normally, this would never be allowed, but a mistake (or bleed) in the security of these websites make this possible. These chunks of data can include usernames and passwords of people accessing the site. For example, you log into your bank with your account credentials and conduct whatever business you came to do. Meanwhile, an attacker exploits the Heartbleed vulnerability on the site and is able to retrieve your username and password from the server. Now the attacker has your credentials. Are you scared yet?
Should I change my passwords right now?
The general recommendation from the security experts is to change your passwords. Which passwords? All of them. While it is true that not all sites are affected by Heartbleed, unfortunately many of you use the same username and password combination on multiple sites. So maybe you have a Yahoo or Facebook account that was vulnerable and you use the same usernam and password to log into Twitter which apparently was not vulnerable. It doesn't matter that Twitter wasn't vulnerable. The attacker still has your password because you're using the same credentials for both sites.
But here's the rub. Don't change your password on sites that haven't fixed the problem yet, or there is the potential that you'll just have your account compromised again. And this time the chance is much higher since it is now a known vulnerability and people know how to exploit it. So how do you know? Look for official communication from those sites, or messages posted on their websites. You can also use this tool: HeartBleed. Just type in the address for the web site and wait a few seconds. It will tell you whether the site is currently vulnerable or not. You could also download the Heartbleed Chrome extension. With the extension installed, whenever you browse to a website that is vulnerable, you'll get an alert.
That sounds like a lot of work. What sites that I log into are known to be affected by Heartbleed?
It's hard to know exactly which sites have been affected by this vulnerability, but sites like Yahoo, Google, and Facebook have confirmed that they were vulnerable. Mashable put together a Heartbleed Hit List: The Passwords You Need to Change Right Now. There is also a list of the Top 1000 websites and if they had the vulnerability on Gethub. I have put together a quick list to scare you into a password change frenzy. This is a quick list that will tell you you are at risk. I know you are. Because everyone is at risk.
Hotmail / Outlook: No
Yahoo Mail: Yes
Intuit (TurboTax): Yes
Amazon Web Services: Yes
Well if I need to change all my passwords do you have any advice?
We live in a digital world where we need to take every precaution to protect ourselves and our identify. Don't be lazy about security. Take this opportunity to set up a good system of creating and storing your passwords. Here are a few rules that will help you get your act together.
I came across these tips a while ago at The Geek Stuff and they will help you get on top of your Passwords.
- Rule 1 – Password Length: Stick with passwords that are at least 8 characters in length. The more character in the passwords is better, as the time taken to crack the password by an attacker will be longer. 10 characters or longer are better.
- Rule 2 – Password Complexity: Should contain at least one character from each of the following group. At least 4 characters in your passwords should be each one of the following.
- Lower case alphabets
- Upper case alphabets
- Special Characters
Guidelines for avoiding weak passwords
- Password same as username or part of the username
- Name of family members, friends or pets.
- Personal information about yourself or family members. This includes the generic information that can be obtained about you very easily, such as birth date, phone number, vehicle license plate number, street name, apartment/house number etc.
- Sequences. i.e consecutive alphabets, numbers or keys on the keyboard. for e.g. abcde, 12345, qwert.
- Dictionary words. Dictionary words with number or character in front or back
- Real word from any language
- Word found in dictionary with number substitution for word look alike. for e.g. Replacing the letter O with number 0. i.e passw0rd.
- Any of the above in reverse sequence
- Any of the above with a number in front or back.
- Empty password
Common sense about passwords
Create unique password every time.
When you are changing a password for an existing account, it should not be the same as the previous password. Also, do not use incremental passwords while changing it. i.e password1, password2 etc.
Change your passwords for all your accounts once every 6 months.
Since passwords have a fixed length, a brute-force attack to guess the password will always succeed if enough time and processing power was available to the attacker. So, it is always recommended to change the passwords often. Schedule an recurring appointment on your calendar to change your passwords once every 6 months.
Never write down your passwords.
Creating a very strong password and writing it down on a paper is as bad as creating an easy to remember weak password and not writing it down anywhere. There are several interesting surveys done on this subject, where it was found that several people write down the password and keep it somewhere next to the computer. Some of them think keeping the post-it note below the mouse pad is secure enough. You should never write down the password on a paper. If you want to carry your password along with you all the times, use a password manager tool that runs from USB stick and take that with you all the times.
Don’t share with anyone.
Anyone includes your friends and family. Probably you might have heard the phrase “Passwords are like underwear, don’t share with anybody”. We teach our kids several things in life. Teaching them about online safety and not sharing the password with anybody should be one of them.
Never keep the same password for two different sites. It is very tempting to create one set of passwords for all your emails, another password for all the banking sites, another password for all the social networking sites etc. Avoid this temptation and keep unique passwords for all your accounts.
Don’t type your password when someone is looking over your shoulder.
This is especially very important if you type slowly and search for the letters in the keyboard and type with one finger, as it is very easy for someone looking over your shoulder to figure out the password.
Never send your password to anybody in an email.
If you follow #3 mentioned above, this should not be an option. But the reason I’m specifically saying about this is because several hackers send emails as a support person and asking for your user name and password through email. Legitimate website or organization will never ask you for your user name and password either via email or over telephone.
Change password immediately when they are compromised. Even if you have the slightest doubt that someone might have stolen your password, change it immediately. Don’t even waste a minute.
Don’t use the “Remember password” option on the browser without setting the Master Password.
Don’t use this feature of the browser to store your username and passwords without enabling the “Master Password” option. If you don’t set master password on the firefox browser, anybody who uses your firefox browser can see all the passwords that are stored in the firefox browser in plain text. Also, be very careful with this option and say ‘Not Now’ in the remember password pop-up, when you are using a system that doesn’t belong to you.
Don't type your password on a computer that does not belong to you.
If possible, don't use someone else computer that you don’t trust to login to any website, especially to very sensitive website such as banking. It is a very common practice for hackers to use keyloggers that will log all the keystrokes on a system, which will capture everything you type including the passwords.
What do you use to keep your passwords safe and secure?
I use a password application called 1Password. I have a few things I look for in a good password application and 1Password has all of them.
- I want it to work on all my devices
- I want it to have a browser plugin for quick access
- IE (I hate IE)
- Securely Sync My passwords to all devices
- Generate Strong Passwords for me
- No Password is the same on any account
- I don't even know my passwords because they are so complex
Find a password application and stick to it. Use it for everything. There are a lot of options out there. I chose 1Password because to me it was the best. As a Network Administrator I have hundreds of passwords that I need to remember for work. This app lets me keep My personal information and my work information in separate password vaults. So if you asked me what password keeper to use 1Password is at the top of my list.