News of the Heartbleed bug has made more headlines than Miley Cyrus this week, which in itself is a good thing, but that's not the silver lining I'm referring to. If you haven't heard about it, Heartbleed is a security vulnerability that exists in OpenSSL versions 1.0.1 through 1.0. Basically, a coding mistake made back in 2012, led to a vulnerability where an attacker could access unencrypted data from the memory of the remote computers which store the information. While we haven't seen any data breaches which we can point to Heartbleed as the cause, there isn't any way of knowing if your information has already been breached or not.

heartbleed

OpenSSL 1.0.1g has been released to address the vulnerability, which has left many IT Admins scrambling to generate new encryption keys. But what does that mean for the hundreds of millions of Internet users (yes, including you and me) who up until now thought our information was secure? Well we should just play it safe and consider everything has been breached. What it boils down to is, we all need to change our passwords, on every website, and believe or not, that's where the silver lining exists.

Before you start... 

We need to give all of these retailers, banks, social media sites and other website owners time to update their keys. Otherwise, any new passwords we generate could still be vulnerable. So instead of spending the rest of your day coming up with new and unique passphrases, let's take the time to come up with a game plan together and do this the right way this time. 

Ground Rules:

We all know that we should have strong passphrases that are unique from every site we use, but it's a pain to do this if you already have 100 accounts across the Internet. But hey, since you have to change your password on all of them anyway. Let's agree to do the following:

  • Use a long passphrase, consisting of upper and lower-case letters, numbers and symbols - no, 30 characters isn't too long.
  • Use a unique passphrase for every website - yes, every website.
  • Enable Multi-Factor authentication when available - don't whine, it's a pain to set up but it's easy in the long run.

Tools:
I can already hear everyone complaining, "I'll never remember all of the passwords," and "Golly, being secure is so gosh darn hard!" I know. Luckily, there are tools out there that will make your life a little easier. Personally, I'm a big fan of LastPass, I use it both at work and at home. It allows me to securely store all of my passwords and I can access them from my computers, from my phone, and from anywhere else on the Internet. There are many password managers out there as well including 1Password, Norton Identity Safe, RoboForm and many others. If you happen to have a fingerprint reader on your computer that you never seem to use, now is a great time to kick the tires on that bad boy. Some password managers, including LastPass, can use your fingerprint reader in place of your master password - swipe once and you're in!

The great thing about a password manager is that you only need to remember one really strong password like "Gosh1r3@llyHat3P@sswORdzYo!" (No, that's not my password) and the tools will fill in the other individual site passwords for you - so you don't even have to remember any of the others! It may seem a little weird at first, but I promise, you'll learn to love it.

This Weekend's To Do List:

  1. Download a Password Manager and learn to use it.
  2. Use said password manager to reset all your passwords, starting with the sensitive sites first like your online banking, tax preparer, email, and other sites that store sensitive information.
  3. Enable Multi-Factor Authentication whenever available.

Want to know if your account may have been compromised? Many companies are still investigating the impact of this bug, but check out this cool "Heartbleed Hit List" over on Mashable.

Does the idea of resetting your passwords cause you heart burn? Are you willing to invest some time this weekend improving your personal security? I'd love to hear your thoughts in the comments below!

 

 

Strategic Planning for IAM Success

 

Bryan Cole

Bryan Cole