If you haven’t heard about Heartbleed, here’s what you need to know. Heartbleed is a bug that impacts the security settings of most of the websites we use on a daily basis, this includes your email, banks, credit card companies, dating sites, online shops like Amazon – pretty much everything. Here’s a description of the bug from Gigaom:
What is Heartbleed?
It’s a bug in some versions of the OpenSSL software that handles security for a lot of large websites. In a nutshell, a weakness in one feature of the software — the so called “heartbeat” extension, which allows services to keep a secure connection open over an extended period of time — allows hackers to read and capture data that is stored in the memory of the system.
Here’s some more information:
- Massive Security Bug In OpenSSL Could Affect A Huge Chunk Of The Internet (TechCrunch)
Critical crypto bug exposes Yahoo Mail, other passwords Russian roulette-style (Ars Technica)
Does it impact me? Yes.
What do I need to do about it? You need to change all of your passwords. Yes, all of them. The Atlantic has a good article about what you should be doing entitled The 5 Things To Do About the New Heartbleed Bug. Here are their five things:
A patched OpenSSL version exists and is being deployed. Until then, what should you do? Here's a five-point checklist.
- Change the passwords for the handful of sites that really matter to you.
- Do not ever use the same password at two sites that matter to you. Ever. Heartbleed or not, this lowers the security level of any site with that password to the level of the sleaziest and least-secure site where you've ever used it.
- Use a password manager, which can generate an unlimited set of unique, "difficult" passwords and remember them for you.
- Use "two-step" sign-in processes wherever they're available, starting with Gmail.
- Read what happened in [the author’s family] three years ago, when one of our Gmail accounts was taken over by someone in Africa, if you would like a real-world demonstration of why you should take these warnings seriously. It's from an article called "Hacked."
We recommend first changing the passwords to any sites that have important financial and/or personal information about you (for example: your email address, Facebook, banks, credit card companies, loans and so on). Then you should change all the passwords for your secondary sites (such as secondary email addresses, social media accounts and so on).
You can use a password management program, like LastPass (web/mobile) or KeePass (downloadable program), but there are others out there as well. What these programs do is generate hard to crack passwords and keep track of them so you don’t have to. All you need to remember is the password to the program.
As a reminder, you should never use the same password for different accounts and your passwords should be hard to guess. Don’t use your (or your family’s) birth date, don’t you use name or your children’s/relative’s names. That’s why it’s helpful to use the password management sites.
Read through the articles linked above and start changing your passwords.
To check a site to see if it’s vulnerable, visit one of the links provided by The Atlantic: How to Check if a Site Is Safe From 'Heartbleed'