Heartbleed: your passwords are public now
I am not going to waste your time here. If you want to know exactly what Heartbleed is, there are plenty of sites that will give you that. This will all be in layman’s terms and will be far from precise, but will be accurate enough for normal people.
What is Heartbleed?
Heartbleed, made public on April 7, is the nickname for a problem with some of the code that keeps the internet safe. It actually made sites that were supposed to be super secure worse than sites that were unsecured.
There has never been a vulnerability that affected this much of the internet before.
Heartbleed has nothing to do with your computer. It has to do with websites and services you use. The number of people who use the internet and have not been affected by Heartbleed is, essentially, zero. Don’t brush this off: you are not insulated from this, I promise.
From Heartbleed.com, emphasis mine:
We have tested some of our own services from attacker’s perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.
What do I have to do?
No matter who you are, you need to get ready to change your passwords. Period. If you are the type of person who uses the same password for multiple websites or services (Gmail, Yahoo Mail, etc.), you are especially vulnerable. I’m sorry, but it’s true.
Here’s the tricky part: You have to wait until the websites you use are no longer vulnerable. The sites affected need fix the problem on their end before you can do anything on your end.
The easiest thing you can do now is wait until the weekend and then change all your passwords. Any service that is worth their salt will have patched the leak by then. Not the safest route, but doable for people who don’t have time to be concerned. UNIQUE PASSWORDS, please. This is a great time to make sure you don’t use the same password for your bank account as you use anywhere else.
If you want to be safe, check the sites you have passwords on with this tool. If they pass the test, go ahead and change your password there. I cannot stress enough how important it is to make the password unique.
How am I supposed to remember unique passwords for all my sites?
It is worth your while to find a system that works. However you need to do it.
I’d recommend either LastPass or 1Password. I use the latter. LastPass was, technically, compromised but they claim that the compromise didn’t allow attackers to get any data. 1Password was only compromised if you use a specific part of their service, which I do not.
Both these services are helpful when changing passwords as well.
This seems like kind of a pain in the rear
Yep. But to paraphrase Zig Ziglar, “You only have to floss the teeth you want to keep.”
Be safe out there, folks.
If you think I have gotten something wrong, please let me know, and I will be happy to correct.