The 5 Things to Do About the New Heartbleed Bug

Should you take the latest security scare seriously? I do, and here are the steps I am taking.

[Please see important UPDATE in a newer post, and repeated at the bottom of this post.] Most flaps about scary new Internet bugs are just typical scary Internet flaps. This latest one, the Heartbleed bug, I am taking seriously. Potentially it means that username/ password combos for the sites everyone considered secure have in fact been hacked and stolen.

Update: Just this second, I see that Bruce Schneier has declared the bug "catastrophic." Consider yourself warned. Schneier adds:"On the scale of 1 to 10, this is an 11." He has no track record as an alarmist.

 You can read more about how it happened, and why it matters, at this helpful master site and the dozens of useful tech links it includes. Here is also an overview from TechCrunch. (Update: and here is one of several useful test facilities to let you check the status of sites you're concerned about.)

Simplest way to understand the problem: one of the protocols that many sites use to protect their own security, in an implementation known as OpenSSL (for Secure Socket Layers), itself has a previously unknown bug. That bug, in place for the past two years, could in theory allow an attacker to harvest large amounts of name/password combos plus other info from sites believed to be perfectly safe. Because exploitation of the bug would have left no trace, no one (except a potential hacker) yet knows how many names have been taken, or from where.

A patched OpenSSL version exists and is being deployed. Until then, what should you do? Here's a five-point checklist, followed by explanations.

  1. Change the passwords for the handful of sites that really matter to you. I'll explain how you can do this in a total of ten minutes or less. This probably isn't necessary, but just in case...
     
  2. Do not ever use the same password at two sites that matter to you. Ever. Heartbleed or not, this lowers the security level of any site with that password to the level of the sleaziest and least-secure site where you've ever used it. 
     
  3. Use a password manager, which can generate an unlimited set of unique, "difficult" passwords and remember them for you.
     
  4. Use "two-step" sign-in processes wherever they're available, starting with Gmail.
     
  5. Read what happened in our family three years ago, when one of our Gmail accounts was taken over by someone in Africa, if you would like a real-world demonstration of why you should take these warnings seriously. It's from an article called "Hacked."  

That's the action plan. Now the details.


What I am personally doing about Heartbleed, and why.

-  I am changing my password for a handful of "important" sites. My finance-related sites: bank accounts, credit cards, mortgage-payment, investment accounts. The email accounts I actually use, three of them in total and all Gmail-based. Plus all social-media accounts. Even though on most of these accounts I am dormant rather than active, I'd rather not have someone take over the account and cause problems in that way.  (UPDATE: In response to questions, you would need to do this again once the OpenSSL patch has been distributed or the sites have in other ways confirmed their safety. Nonetheless it seems worth doing even now, even given the possibility that a site is still vulnerable and could have new info intercepted as you're changing it, because otherwise you're exposed to any info collected over the past two years.)

- I am abiding by the watchword of never using the same password on two accounts that matter. Whoever is in charge of security at, say, HottestCheerleadersPlusCheapMedicineFromThailand.com (not an actual site I have visited) might not know how to protect against hacks, or might even dishonestly sell its user info to hackers. They could then blindly try the combos elsewhere.

- I am making all this easy on myself by using a password manager. The one I have used and liked for several years is LastPass, which was also the top choice in this recent PC Mag review. You can read reviews of a wide range of alternatives here and here. The idea behind all of them is that they store a vast range of passwords you could not possibly remember yourself; they automatically fill them in for your sites; and they have a range of very tough security measures to protect this precious central vault. In well under 1 minute per site, I can have Last Pass generate a new, "difficult," never-before-used password for important sites -- let's say u!YKhtAs7xQA , though that's not a real one -- and set my systems up to use that automatically.

Presented by

James Fallows is a national correspondent for The Atlantic and has written for the magazine since the late 1970s. He has reported extensively from outside the United States and once worked as President Carter's chief speechwriter. His latest book is China Airborne. More

James Fallows is based in Washington as a national correspondent for The Atlantic. He has worked for the magazine for nearly 30 years and in that time has also lived in Seattle, Berkeley, Austin, Tokyo, Kuala Lumpur, Shanghai, and Beijing. He was raised in Redlands, California, received his undergraduate degree in American history and literature from Harvard, and received a graduate degree in economics from Oxford as a Rhodes scholar. In addition to working for The Atlantic, he has spent two years as chief White House speechwriter for Jimmy Carter, two years as the editor of US News & World Report, and six months as a program designer at Microsoft. He is an instrument-rated private pilot. He is also now the chair in U.S. media at the U.S. Studies Centre at the University of Sydney, in Australia.

Fallows has been a finalist for the National Magazine Award five times and has won once; he has also won the American Book Award for nonfiction and a N.Y. Emmy award for the documentary series Doing Business in China. He was the founding chairman of the New America Foundation. His recent books Blind Into Baghdad (2006) and Postcards From Tomorrow Square (2009) are based on his writings for The Atlantic. His latest book is China Airborne. He is married to Deborah Fallows, author of the recent book Dreaming in Chinese. They have two married sons.

Fallows welcomes and frequently quotes from reader mail sent via the "Email" button below. Unless you specify otherwise, we consider any incoming mail available for possible quotation -- but not with the sender's real name unless you explicitly state that it may be used. If you are wondering why Fallows does not use a "Comments" field below his posts, please see previous explanations here and here.

Never Tell People How Old They Look

Age discrimination affects us all. Who cares about youth? James Hamblin turns to his colleague Jeffrey Goldberg for advice.

Video

Never Tell People How Old They Look

Age discrimination affects us all. James Hamblin turns to a colleague for advice.

Video

Would You Live in a Treehouse?

A treehouse can be an ideal office space, vacation rental, and way of reconnecting with your youth.

Video

Pittsburgh: 'Better Than You Thought'

How Steel City became a bikeable, walkable paradise

Video

A Four-Dimensional Tour of Boston

In this groundbreaking video, time moves at multiple speeds within a single frame.

Video

Who Made Pop Music So Repetitive? You Did.

If pop music is too homogenous, that's because listeners want it that way.

More in Technology

From This Author

Just In