If you’ve been paying attention this week, you’ve heard about the Heartbleed encryption hole that left your sensitive account information exposed on many common websites you use every day. One estimate put the exposure rate at 2/3 of all web servers. It’s hard to remember a bigger Internet security problem in terms of number of people affected.
The flaw has been sitting out there for two years until the public became aware, and one estimate says at least 500,000 websites are affected. Mashable has a good guide of common sites that many use and what their exposure is, and CNET has a list of the top 100 trafficked sites and their status. There also are some good sites out there to check individual sites you use to see if they are vulnerable, such as this one from LastPass. Chrome also has an extension called Chromebleed to detect a vulnerable site.
It’s hard to overstate how serious this is. From Tumblr’s post on the subject:
“This still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails and credit cards safe was actually making all that private information accessible to anyone who knew about the exploit. This might be a good day to call in sick and take some time to change your passwords everywhere — especially your high-security services like email, file storage and banking, which may have been compromised by this bug.”
Your identity is so tied up in all your online accounts that it should seem obvious how serious this is. Sure, I don’t care if someone hacks my Instagram, but every account broken into gives hackers access to data they could use to breach accounts that do matter to me. I’m talking banking, credit cards, social security, taxes, etc.
The Heartbleed debacle offers a convenient opportunity to get serious about securing your online data. Six months ago I got serious about my online security after a scary incident that involved a lost laptop (which, fortunately, I recovered). I went about locking down everything I had as best I can. So I know it can be done, and after the initial setup it works pretty well. Here are some simple steps I took that are very doable for anyone.
Change your passwords
Duh. Heartbleed makes this essential, but only do so on affected sites if they have first applied the SSL patch – otherwise you’ll just have to change it again. If a site has not patched for Heartbleed, make a note of it and come back to it when they announce the fix is implemented. If you don’t want to go through the hassle of finding the password-change link on a site (and sometimes they are buried beyond belief), click on “I forgot my password” at the sign-in screen to get the process going.
Security experts recommend changing your passwords frequently, as often as every 3 months. I find this fairly impractical but would suggest changing your key passwords (read: financials) every six months.
Social media services, in particular, seem to have been hit most hard whereas financial institutions were not. But again, a social site could offer data and clues for hackers looking to make a mess of your finances. Just because your bank isn’t on the list of exposed sites doesn’t mean you’re in the clear there.
Enable two-factor authentication
More and more, sites are moving to this added layer of security. Two-factor authentication uses your cell phone’s text messaging service to add another level of authentication. After you enter your password, the site sends a text message with a short code that you type in on the ensuing computer screen. Only with the short code and the correct password can someone get in, meaning that hacking your password isn’t enough.
I’d highly recommend two-factor authentication for anything you use that’s critical. Start with banking and credit cards, but don’t forget email. Usually when someone does a password reset, a site emails the link with instructions on how to do so. Thus if your email isn’t secure, you can be vulnerable even if you use complex passwords. Gmail is leading the way on this one and I would enable that at the very least. I also use two-factor for my online banking, credit cards, and Apple and Amazon. Basically enable two-factor for any site that has your bank or credit card information, plus your email.
Not every site offers two-factor, but it’s good to take advantage of it if it’s available.
Never, ever, ever use the same password on two sites
Consider the lists above. Some sites were affected but others weren’t. If hackers had gotten your password on one site via a Heartbleed exploit, they’d have it for other sites you use if you keep the same password. The only thing they’d need is your username, but that won’t be hard because people usually use their email address or the same username as a login across multiple sites.
In short, if you use the same password on every site or only make slight variations (“gameofthrones1” vs. “gameofthrones2”) – stop doing that.
And if your password is “password,” we may need to take the Internet away from you for a little while.
Use a password manager
The most common password of 2013 was “12345” and we aren’t just talking about luggage. Ideally, a good password has at least 8 characters at a bare minimum but services I use recommend at least 14. It should be a random mix of numbers, letters (both upper and lowercase), and when allowed it should use special characters.
There are reasons why people don’t use these types of secure passwords – it’s hard to remember them and it tempts you to just write them down.
Fortunately there are very good password manager tools such as LastPass or 1Password that allow you to automatically fill in passwords by typing in a master password – yep, you only have to remember one. Then you can use the program to randomly create super-secure passwords that give you some control over the number of characters and the types of characters used. 1Password, which I use and love, lets you make passwords of up to 30 characters and I don’t have to remember any of them.
1Password is great because it syncs across multiple computers and mobile devices. I’ve used it for a couple years and it’s my favorite solution.
If you need horror stories about why security matters, read this one by Mat Honan. The thing is, he probably was more secure than most.