By now you’ve probably seen a number of sites issue warnings and suggesting (or in some cases demanding) that you reset passwords. While it’s not uncommon for sites to ask users to update security details if they are concerned about a security breach, for so many to do so at the same time suggests there was a major incident affecting a lot of sites.
There was – That incident was Heartbleed.
This article will explain the incident, but if you’re in a hurry, skip to the end for some practical tips to improve your online security.
What is “Heartbleed”?
Heartbleed is not a virus, it’s a description of a flaw which many attackers are already using to steal information. In a nutshell, the Heartbleed security flaw allows attackers to steal information from Internet servers. As many as two thirds of all websites may have been vulnerable, and operators have been frantically updating to more secure software and notifying users.
Among the most common pieces of information at risk of being stolen are user credentials: Usernames, passwords, banking PIN codes and so on.
Because these are such high risk, many web site operators who found their systems to be vulnerable simply assumed the worst and told their users to change their passwords, whether or not they had any report of a breach.
What’s the risk, really?
The individual risk is relatively low, but the impact could be high, so this is worth taking seriously. Having your passwords stolen can lead to identity theft, fraud… a whole battery of online nastiness.
The risk is compounded by the fact that a lot of people reuse passwords across many sites, so a leak at any one could compromise many more.
If I haven’t been asked to change a password, am I safe?
No. Not all sites operate responsibly: Some haven’t issued password notification; some may not even be aware they are vulnerable. You should assume almost any credentials could have been exposed, and get cracking on updating them.
The only exceptions would be a password you definitely haven’t used elsewhere, and where the operator has confirmed that their systems were never vulnerable.
Why bother? I’m not a target for criminals.
Unless you’re a high-profile individual, you may not be targeted specifically. But hackers don’t actually work like that: They often use attack tools which scan large chunks of the Internet looking for vulnerable users. Some of these tools even conduct the attacks automatically too, only ‘lighting up’ when they have completed the exploitation.
As with any online security issue, you might not be a target, but you may well be in the firing line anyway. And identity theft is a truly horrible experience.
In short, there’s no reason NOT to take steps to reduce the risk.
So what can I do?
It’s not game over just yet, but the basic principles of keeping yourself safe online have become a bit more critical. In this case, since passwords are the main risk, it’s the question of password management.
Here are five key tips you can use to keep yourself safe (well, less unsafe):
- Change your passwords now if you haven’t already. I really mean it. Yes, it’s a pain, but it’s also an opportunity to get better passwords in place.
- Don’t reuse passwords. Even if you just vary them a little from site to site, that will thwart many attacks. If you’re struggling to remember passwords, write them down on a note in your wallet. Security experts will be aghast that I’m suggesting this, but since most people protect their wallets much better than their passwords, the risk is much lower than if you used the same password everywhere.
- Use long passwords. Forget all that stuff about using complicated symbols – length is what matters. Choose phrases you’re likely to remember – favourite lines from a song, perhaps – and you’ll be a lot more secure. Anything shorter than 12 characters is probably too short.
- Consider using a password manager like LastPass or KeePass. These will generate secure passwords for you and save you from having to remember all of them. I personally use LastPass and don’t even know most of the passwords for sites I use. All I know is they’re very long, practically uncrackable, and never reused from site to site.
- Use two-factor authentication for any service which offers it. This is a massive improvement on just a password, and key service like a Gmail account (which can be used to compromise many others via email-driven password resets) should definitely have two-factor enabled: Go to the security settings in your Google account page to turn it on. If you do nothing else after reading this article, do this.