You need passwords.
For your banking, email, and social media profiles, you need passwords for every account.
And Heartbleed has made every password you’ve ever had very, very vulnerable.
What Is Heartbleed?
Heartbleed is a security flaw in OpenSSL, the open-source security certificate that encrypts sensitive data. SSL (Secure Sockets Layer) is a protocol that changes website URLs from http:// to https://.
Any website using SSL to protect your sensitive data may have been compromised. Huffington Post estimates that as many as 66% of the web has been affected.
The flaw has been in existence for two years, and was only made public to the SSL community on Monday.
Security Researcher Nicholas Weaver says, “It is catastrophically bad, just a hugely damaging bug.”
What Does Heartbleed Do?
Heartbleed allows an attacker to pull a random 64k from the working memory of a specified server. A hacker won’t know exactly what data they will get, but since the operation can be performed repeatedly, a lot of sensitive data can be exposed.
With only a Social Security Number and a Date of Birth, for example, a hacker could create a lot of identity fraud.
The private encryption keys of individual servers are a high target, since they are easy to identify among the data, and they are kept in the working memory of the server.
Knowing the encryption key of a server would allow a hacker to eavesdrop on any traffic traveling to or from a server, and also to decrypt any traffic stored from the past.
“I bet that there will be a lot of vulnerable servers a year from now,” Weaver says. “This won’t get fixed.”
If you use the same password for all of your accounts, you will never forget your passwords. That’s secure. Right?
Unique Passwords Are Essential
Using the same password everywhere is a serious lack of security: if someone gets the password for your library account, they can also get into your checking account.
Are you using the same password for multiple accounts? This week is the right time to change them.
Until we can wear our passwords as jewelry, use one of the methods below to change all of your passwords this week.
Easy & Secure Password Protocol #1: Website + Template + Numbers
Create a template password, that is used for every site. For this demonstration, let’s use ‘Demonstration.’
- Now use the first letter, syllable, or word of the site you are logging into.
- Put this before or after the template word.
- Bam! You have a unique password.
For logging into this site, for example, we would use the password ‘PuraDemonstration’. Logging into Twitter, we would use ‘TwitDemonstration.’
Many sites require numbers or special characters, so let’s add some to the template. Make it something easy for you to type fast.
This creates an easy password template that you can modify for every site where you login, giving you a unique password for every site that is easy to remember.
Bonus Tip: Use different templates for different types of accounts. Social media accounts can use one template, financial accounts another, and so on. Just don’t make it too complicated, you want to remember every password without thinking about it.
Easy & Secure Password Protocol #2: Password Management Tool
KeePass (Windows) and KeePassX (Mac) are free and open source. The KeePass program generates a random password for every site you visit. The database of passwords is stored on your local computer, but you can keep it in Dropbox, for access from multiple computers.
LastPass (Windows/Mac) generates random passwords, or saves your passwords, and logs in for you. It stores your passwords in the cloud, but if its data center is compromised, your accounts still cannot be accessed. It is free to use but for $12 a year you get mobile access, too.
1Password (Mac) is $39.95 and has a sleek interface. It has plugins that work with most browsers, and the password generator lets you select the length of your password, to automatically save it to a new account as you create it.
Bonus Tip: Use the same Gmail email address as your login for all your accounts. Not only does this make it easy to remember what your username is, but it also protects you against your own email crashing. If you use email@example.com as your username, or the contact email on your account, what if your email server crashes? The ‘Forgot Password’ link needs to send somewhere safe, and Gmail is the safest bet on the internet.
Easy & Secure Password Protocol #3: Browser Plugin + Random Password Generator
Your web browser has, I’m sure, offered to save your passwords for you. The next time you visit the site, your browser will rmember to sign you in.
Use a Random Password Generator to create new passwords for all of your accounts, and save them all with your browser plugin when you re-log in to all of your accounts.
When resetting your passwords profile-wide, it’s best to update every account you can think of in one sitting. You will inevitably find some old accounts over the coming weeks or months, so be sure you can update easily as you need to.
Extra Credit: Get a VPN
A VPN (Virtual Private Network) offers an extra layer of encryption. Using a VPN after you connect to the internet masks your IP address, so incoming servers can’t tell which location you are really logging on from (very useful in Costa Rica), and encrypts everything you send and receive.
The popular VPN HideMyAss.com was found to be vulnerable to Heartbleed. For the last two years I have been using StrongVPN, which was not vulnerable. It costs around $7 a month, and for international travel and website privacy, I highly recommend using it.
Share this blog post. Click to tweet below.
Do you have a clever password protocol you’d like to share? Leave a comment, or a link to your favorite password manager.