The last time we alerted you to a major security breach was when Adobe’s password database was compromised, putting millions of users (especially those with weak and frequently reused passwords) at risk. Today we’re warning you about a much bigger security problem, the Heartbleed Bug, that has potentially compromised a staggering 2/3rds of the secure websites on the internet. You need to change your passwords, and you need to start doing it now.
Important note: How-To Geek is not affected by this bug.
What Is Heartbleed and Why Is It So Dangerous?
In your typical security breach, a single company’s user records/passwords are exposed. That’s awful when it happens, but it’s an isolated affair. Company X has a security breach, they issue a warning to their users, and the people like us remind everyone it’s time to start practicing good security hygiene and update their passwords. Those, unfortunately, typical breaches are bad enough as it is. The Heartbleed Bug is something much, much, worse.
The Heartbleed Bug undermines the very encryption scheme that protects us while we email, bank, and otherwise interact with websites we believe to be secure. Here is a plain-English description of the vulnerability from Codenomicon, the security group that discovered and alerted the public to the bug:
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
That sounds pretty bad, yes? It sounds even worse when you realize roughly two-thirds of all websites using SSL are using this vulnerable version of OpenSSL. We’re not talking small time sites like hot rod forums or collectible card game swap sites, we’re talking banks, credit card companies, major e-retailers and e-mail providers. Worse yet, this vulnerability has been in the wild for around two years. That’s two years someone with the appropriate knowledge and skills could have been tapping into the login credentials and private communications of a service you use (and, according to the testing conducted by Codenomicon, doing it without a trace).
For an even better illustration of how the Heartbleed bug works. read this xkcd comic.
Although no group has come forward to flaunt all the credentials and information they siphoned up with the exploit, at this point in the game you have to assume that the login credentials for the web sites you frequent have been compromised.
What to Do Post Heartbleed Bug
Any majority security breach (and this certainly qualifies on a grand scale) requires you to assess your password management practices. Given the wide reach of the Heartbleed Bug this is a perfect opportunity to review an already smooth-running password management system or, if you’ve been dragging your feet, to set one up.
Before you dive into immediately changing your passwords, be aware that the vulnerability is only patched if the company has upgraded to the new version of OpenSSL. The story broke on Monday, and if you rushed out to immediately change your passwords on every site, most of them would still have been running the vulnerable version of OpenSSL.
Now, mid-week, most sites have begun the process of updating and by the weekend it’s reasonable to assume the majority of high-profile web sites will have switched over.
You can use the Heartbleed Bug checker here to see if the vulnerability is open still or, even if the site isn’t responding to requests from the aforementioned checker, you can use LastPass’s SSL date checker to see if the server in question has updated their SSL certificate recently (if they updated it after 4/7/2014 it’s a good indicator that they’ve patched the vulnerability.) Note: if you run howtogeek.com through the bug checker it will return an error because we don’t use SSL encryption in the first place, and we have also verified that our servers are not running any affected software.
That said, it looks like this weekend is shaping up to be a good weekend to get serious about updating your passwords. First, you need a password management system. Check out our guide to getting started with LastPass to set up one of the most secure and flexible password management options around. You don’t have to use LastPass, but you do need some sort of system in place that will allow you to track and manage a unique and strong password for every website you visit.
Second, You need to start changing your passwords. The crisis-management outline in our guide, How to Recover After Your Email Password Is Compromised, is a great way to ensure you don’t miss any passwords; it also highlights the basics of good password hygiene, quoted here:
- Passwords should always be longer than the minimum the service allows for. If the service in question allows for 6-20 character passwords go for the longest password you can remember.
- Do not use dictionary words as part of your password. Your password should never be so simple that a cursory scan with a dictionary file would reveal it. Never include your name, part of the login or email, or other easily identifiable items like your company name or street name. Also avoid using common keyboard combinations like “qwerty” or “asdf” as part of your password.
- Use passphrases instead of passwords. If you’re not using a password manager to remember really random passwords (yes, we realize we’re really harping on the idea of using a password manager) then you can remember stronger passwords by turning them into passphrases. For your Amazon account, for example, you could create the easily remember passphrase “I love to read books” and then crunch that into a password like “!luv2ReadBkz”. It’s easy to remember and it’s fairly strong.
Third, whenever possible you want to enable two-factor authentication. You can read more about two-factor authentication here, but in short it allows you to add an additional layer of identification to your login.
With Gmail, for example, two-factor authentication requires you to have not just your login and password but access to the cellphone registered to your Gmail account so you can accept a text message code to input when you log in from a new computer.
With two-factor authentication enabled it makes it very difficult for someone who has gained access to your login and password (like they could with the Heartbleed Bug) to actually access your account.
Security vulnerabilities, especially ones with such far reaching implications, are never fun but they do offer an opportunity for us to tighten our password practices and ensure that unique and strong passwords keep the damage, when it occurs, contained.