The last time we alerted you to a major security breach was when Adobe’s password database was compromised, putting millions of users (especially those with weak and frequently reused passwords) at risk. Today we’re warning you about a much bigger security problem, the Heartbleed Bug, that has potentially compromised a staggering 2/3rds of the secure websites on the internet. You need to change your passwords, and you need to start doing it now.
What Is Heartbleed and Why Is It So Dangerous?
In your typical security breach, a single company’s user records/passwords are exposed. That’s awful when it happens, but it’s an isolated affair. Company X has a security breach, they issue a warning to their users, and the people like us remind everyone it’s time to start practicing good security hygiene and update their passwords. Those, unfortunately, typical breaches are bad enough as it is. The Heartbleed Bug is something much, much, worse.
The Heartbleed Bug undermines the very encryption scheme that protects us while we email, bank, and otherwise interact with websites we believe to be secure. Here is a plain-English description of the vulnerability from Codenomicon, the security group that discovered and alerted the public to the bug:
That sounds pretty bad, yes? It sounds even worse when you realize roughly two-thirds of all websites using SSL are using this vulnerable version of OpenSSL. We’re not talking small time sites like hot rod forums or collectible card game swap sites, we’re talking banks, credit card companies, major e-retailers and e-mail providers. Worse yet, this vulnerability has been in the wild for around two years. That’s two years someone with the appropriate knowledge and skills could have been tapping into the login credentials and private communications of a service you use (and, according to the testing conducted by Codenomicon, doing it without a trace).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
For an even better illustration of how the Heartbleed bug works. read this xkcd comic.
Although no group has come forward to flaunt all the credentials and information they siphoned up with the exploit, at this point in the game you have to assume that the login credentials for the web sites you frequent have been compromised.
What to Do Post Heartbleed Bug
Any majority security breach (and this certainly qualifies on a grand scale) requires you to assess your password management practices. Given the wide reach of the Heartbleed Bug this is a perfect opportunity to review an already smooth-running password management system or, if you’ve been dragging your feet, to set one up.
Before you dive into immediately changing your passwords, be aware that the vulnerability is only patched if the company has upgraded to the new version of OpenSSL. The story broke on Monday, and if you rushed out to immediately change your passwords on every site, most of them would still have been running the vulnerable version of OpenSSL.
RELATED: How to Run a Last Pass Security Audit (and Why It Can’t Wait)
Now, mid-week, most sites have begun the process of updating and by the weekend it’s reasonable to assume the majority of high-profile web sites will have switched over.
You can use the Heartbleed Bug checker here to see if the vulnerability is open still or, even if the site isn’t responding to requests from the aforementioned checker, you can use LastPass’s SSL date checker to see if the server in question has updated their SSL certificate recently (if they updated it after 4/7/2014 it’s a good indicator that they’ve patched the vulnerability.) Note: if you run howtogeek.com through the bug checker it will return an error because we don’t use SSL encryption in the first place, and we have also verified that our servers are not running any affected software.
That said, it looks like this weekend is shaping up to be a good weekend to get serious about updating your passwords. First, you need a password management system. Check out our guide to getting started with LastPass to set up one of the most secure and flexible password management options around. You don’t have to use LastPass, but you do need some sort of system in place that will allow you to track and manage a unique and strong password for every website you visit.
Second, You need to start changing your passwords. The crisis-management outline in our guide, How to Recover After Your Email Password Is Compromised, is a great way to ensure you don’t miss any passwords; it also highlights the basics of good password hygiene, quoted here:
Third, whenever possible you want to enable two-factor authentication. You can read more about two-factor authentication here, but in short it allows you to add an additional layer of identification to your login.
RELATED: What Is Two-Factor Authentication, and Why Do I Need It?
With Gmail, for example, two-factor authentication requires you to have not just your login and password but access to the cellphone registered to your Gmail account so you can accept a text message code to input when you log in from a new computer.
With two-factor authentication enabled it makes it very difficult for someone who has gained access to your login and password (like they could with the Heartbleed Bug) to actually access your account.
Security vulnerabilities, especially ones with such far reaching implications, are never fun but they do offer an opportunity for us to tighten our password practices and ensure that unique and strong passwords keep the damage, when it occurs, contained.