Friday, 11 April 2014

Changing Passwords

You should have heard of Heartbleed by now, but in case you haven't: it's the recently discovered vulnerability in the way much of the Internet has been encrypted. It also happens to be the third ultra serious vulnerability that was happened to be found recently, following Apple's and Linux'.
Clearly, this succession of vulnerabilities serves to indicate we cannot fully trust the Internet with our stuff. A lot of what we put in there, no matter how secure it seems, should be considered to be in the public domain. Think about it the next time you are asked to place your biometric identification information on some online repository: you can change a password, but you can never change your fingerprints.
For now, the question is, what do we need to do in order to prevent this Heartbleed vulnerability from exposing our information. In this particular case, the main item at risk is our password: the password we used to, say, access our bank's website may now be in the hands of some criminals. And if not now, it may be in their hands later if the bank won't sort itself out. [Note I am ignoring the risk coming from governments putting their hands on our passwords; by now I take that for granted].
It seems like there are three rules to be followed when it comes to acting upon Heartbleed:

  1. Some websites already announced they were unaffected by the vulnerability, or at least that their level of being affected does not require end users like us to do anything. These include Google, Evernote and Dropbox to name a few.
  2. Other websites announced that they have patched themselves and therefore now recommend their users to change their passwords. These include the likes of Facebook, Amazon and Yahoo. By all means, go forth and change your passwords for these websites. You don't want those credit card details of yours, held by Amazon, to do the rounds.
  3. The catch is with the rest of the websites, some of which will be left vulnerable for years to come. With those the suggested policy is to avoid accessing them altogether until they are patched.
    Often you will not know whether they have been affected in the first place, but you can definitely check whether they are currently vulnerable or not. This tool, to name but one example, lets you check on websites' current Heartbleed status. [If you want to go further than Heartbleed, use this tool instead; be careful, though, as it might scare the hell out of you to realise how insecure some of the websites we deem secure are.]
    Once you know the website is fine, go and change your password. Do not do so before they have been fixed, as you will only expose yourself further.

With these rules in mind, I have been basically running over my passwords and checking their respective companies to see whether they have made official announcements regarding their Heartbleed status (check here for some major Aussie updates). If I find such advice, I act according to rules 1 & 2; if I don't, I assume the worst and act as per rule 3.
Obviously, the result is a time consuming headache. I will add, however, that using a password manager tool makes life much easier in this regard. I use 1Password, and although I cannot say I am 100% content with it not being open source, it is probably safe to say that by using the tool I am overall more secure than before through being able to easily manage the wealth of online passwords I maintain.

Image by Flippo, Creative Commons license

No comments: