Two weeks ago computer security researchers notified the public of the Heartbleed Bug, a “serious vulnerability in the popular OpenSSL cryptographic software library” that is widely used around the web. Left unchecked, it left a lot of people’s data at at risk, where third-parties could potentially eavesdrop on sensitive data including passwords. In response, system administrators scrambled to address this issue as soon as possible (while shady characters tried to take advantage). Even worse: it took two years for the bug to be discovered.
Fortunately Twin State servers were never at risk, but a lot of popular web services like Pinterest, Yahoo Mail, and Dropbox were affected and quickly patched their systems. While there’s no evidence anyone was able to steal data from these services, many of them have recommend people change their passwords anyway, just to be on the safe side.
Why haven’t I heard much about it?
I had expected friends and clients would ask about the heartbleed Bug and what, if anything, they could to do protect themselves. But most people I talked to hadn’t heard of Heartbleed despite reports from media outlets in the Quad Cities. Unlike the recent security breaches at Target and Adobe, we don’t have any evidence that sensitive data was stolen en masse (so far, I’ve only heard reports about 900 Canadian tax IDs being lifted). Security vulnerabilities are found and patched every day, and most of them aren’t newsworthy. But the Heartbleed Bug posed such a substantial risk that I’m surprised it didn’t garner more attention from the media (who would be busy reporting on Windows XP’s End of Life a day later).
Should I change my passwords?
It’s not necessary to change all of your passwords, particularly on services that couldn’t be affected by the Heartbleed vulnerability. However, some services are forcing people to change their passwords as a precautionary measure, and many others are contacting clients to recommend they do so. At this point, all signs point to this being a way to mitigate risk–lacking any concrete evidence of data theft, I don’t blame anyone who chooses not to hassle with resetting all of their passwords. However, if it’s been a while since you’ve looked through your passwords, this is a pretty good excuse to take stock and adjust accordingly.
I hope this simply serves as another reminder that good password habits are important. Using strong, unique passwords for every service is much easier than it used to be with tools like 1Password ($50), LastPass (free / $12 premium yearly subscription), and KeePass (free, open source). If you’re interested, Ars Technica will help you get started.
Two-step authentication will also provide an additional layer of protection for the services that offer it (like Google, Dropbox, Facebook, and Twitter).
If When another security breach happens, I don’t want to be worried that a service I know and trust has just leaked a skeleton key to my online life.
For More Information
- The Heartbleed Hit List: The Passwords You Need to Change Right Now – Mashable is keeping a scannable list of web services, banks, government institutions, and others who have been affected and/or are suggesting people change their account passwords.
- 1Password Watchtower ; LastPass Heartbleed Checker – Run by popular password management systems, these services allow you to check any website to see if it is or was vulnerable, free of charge.
- Heartbleed.com – The official site from security researchers Codenomicon, who discovered the bug and created the logo above.
- Heartbleed Explanation – The XKCD web comic succinctly explains how Heartbleed works.
Tags: heartbleed, passwords, security