Heartbleed and Your Secure Passwords
Once again, password encryption is back on the minds of Americans after the discovery of the Heartbleed Bug, which is being called one of the most serious bugs to ever hit the internet.
Heartbleed is a bug in OpenSSL that allows anyone to access and read any encrypted data sent between your computer and a server. This means your username, secure password and other confidential information, including credit card numbers could be at risk.
While many security bugs are malicious in nature, Heartbleed is believed to be an honest mistake. German coder Robin Seggelmann made an error while working in OpenSSL that went undetected for nearly two years.
When the mistake is exploited, (and it is unknown whether it has been exploited) attackers are able to steal large amounts of data from a computer’s main memory relatively easily, including what you may think is a secure password.
You may think your accounts are safe, but more than 60% of all websites use OpenSSL, so the chances your personal information can potentially become compromised are pretty good.
What can I do about Heartbleed?
- Determine which password-protected websites you use utilize OpenSSL. Several tools are available, including a newly released Heartbleed Test Tool from McAfee, which allows you to enter a URL before coming back with whether a vulnerability was detected or not or if the site is even vulnerable at all. Remember, this only affects sites that utilize OpenSSL, although several large sites including Google, which includes YouTube, Gmail and more were effected. Mashable has compiled a growing list of effected sites.
- Determine whether effected sites have released a security patch yet to resolve the issue. If you change your passwords prior to a site being patched, you are still at risk. The list on Mashable notes whether a patch has been released or not. While it is unclear whether or not Facebook was effected by Heartbleed, the social network has released a patch and recommends changing your password.
- Change to a new secure password.
Tips for Creating a Secure Password
In the wake of Heartbleed, now is the time to brush up on ThrottleNet’s best practices for password encryption. There are seven characteristics of strong passwords you should already be using. If you are not using a secure password, now might be a good time to start.
1. Ideally, a secure password contains eight characters. Even if six is required, eight is always preferred. Use at least one shifted character (! @#$%, etc.), one letter and one number. Some sites require this, and while others don’t, it’s always good practice to use strong passwords rather than generic passwords.
2. Do not use the same password, even if it is a secure password for all of your private accounts. While this is easier to remember, it leaves yourself more vulnerable to having multiple accounts compromised at once.
3. Never write a password in an e-mail.
4. Don’t leave written usernames and passwords where they can easily be seen. Password encryption doesn’t mean anything if someone finds a written version of your password. This includes sticky notes on your computer monitor. Store them in a spreadsheet or in your phone where only you have access.
5. Never give out passwords to another user, even if it’s your favorite co-worker.
6. Lock your computer even if you are just stepping away for a few minutes.
7. Change your passwords frequently! Password encryption is not a one-time solution, it is a revolving process. If you are in charge of a corporate network, you should have a password rotation policy in place.
After changing all your OpenSSL passwords post-patch, congratulations. You have survived Heartbleed. Need help protecting your business from additional vulnerabilities? Contact ThrottleNet today.