[Please see important UPDATE in a newer post, and repeated at the bottom of this post.] Most flaps about scary new Internet bugs are just typical scary Internet flaps. This latest one, the Heartbleed bug, I am taking seriously. Potentially it means that username/ password combos for the sites everyone considered secure have in fact been hacked and stolen.
Update: Just this second, I see that Bruce Schneier has declared the bug "catastrophic." Consider yourself warned. Schneier adds:"On the scale of 1 to 10, this is an 11." He has no track record as an alarmist.
You can read more about how it happened, and why it matters, at this helpful master site and the dozens of useful tech links it includes. Here is also an overview from TechCrunch. (Update: and here is one of several useful test facilities to let you check the status of sites you're concerned about.)
Simplest way to understand the problem: one of the protocols that many sites use to protect their own security, in an implementation known as OpenSSL (for Secure Socket Layers), itself has a previously unknown bug. That bug, in place for the past two years, could in theory allow an attacker to harvest large amounts of name/password combos plus other info from sites believed to be perfectly safe. Because exploitation of the bug would have left no trace, no one (except a potential hacker) yet knows how many names have been taken, or from where.
A patched OpenSSL version exists and is being deployed. Until then, what should you do? Here's a five-point checklist, followed by explanations.
- Change the passwords for the handful of sites that really matter to you. I'll explain how you can do this in a total of ten minutes or less. This probably isn't necessary, but just in case...
- Do not ever use the same password at two sites that matter to you. Ever. Heartbleed or not, this lowers the security level of any site with that password to the level of the sleaziest and least-secure site where you've ever used it.
- Use a password manager, which can generate an unlimited set of unique, "difficult" passwords and remember them for you.
- Use "two-step" sign-in processes wherever they're available, starting with Gmail.
- Read what happened in our family three years ago, when one of our Gmail accounts was taken over by someone in Africa, if you would like a real-world demonstration of why you should take these warnings seriously. It's from an article called "Hacked."
That's the action plan. Now the details.
What I am personally doing about Heartbleed, and why.
- I am changing my password for a handful of "important" sites. My finance-related sites: bank accounts, credit cards, mortgage-payment, investment accounts. The email accounts I actually use, three of them in total and all Gmail-based. Plus all social-media accounts. Even though on most of these accounts I am dormant rather than active, I'd rather not have someone take over the account and cause problems in that way. (UPDATE: In response to questions, you would need to do this again once the OpenSSL patch has been distributed or the sites have in other ways confirmed their safety. Nonetheless it seems worth doing even now, even given the possibility that a site is still vulnerable and could have new info intercepted as you're changing it, because otherwise you're exposed to any info collected over the past two years.)
- I am abiding by the watchword of never using the same password on two accounts that matter. Whoever is in charge of security at, say, HottestCheerleadersPlusCheapMedicineFromThailand.com (not an actual site I have visited) might not know how to protect against hacks, or might even dishonestly sell its user info to hackers. They could then blindly try the combos elsewhere.
- I am making all this easy on myself by using a password manager. The one I have used and liked for several years is LastPass, which was also the top choice in this recent PC Mag review. You can read reviews of a wide range of alternatives here and here. The idea behind all of them is that they store a vast range of passwords you could not possibly remember yourself; they automatically fill them in for your sites; and they have a range of very tough security measures to protect this precious central vault. In well under 1 minute per site, I can have Last Pass generate a new, "difficult," never-before-used password for important sites -- let's say u!YKhtAs7xQA , though that's not a real one -- and set my systems up to use that automatically.