Heartbleed was all over the news yesterday, as it was exposed to be one of the biggest exploits on servers we’ve ever seen. What does that really mean for the average computer user? The Heartbleed super-virus won’t directly affect your personal computer, but it will affect the servers that run many of the websites you visit and log in to every day. In a nutshell, sites that run OpenSSL (many sites with https:// logins) have the potential to compromise your login information, exposing it to hackers, and since many of us re-use our usernames and passwords on multiple sites, it’s a big deal. Use the following steps to take action and protect yourself against this bug:
1. Check what sites are impacted. Cnet has a listing of popular sites that have already been patched (http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/). Obviously, since that was published, many sites could have already fixed the exploit, so you can check individual sites by typing them in here:http://filippo.io/Heartbleed/.
2. Change your password. For any websites you have logins at, once their site has been fixed, you should change your password. If you change it before they patch the bug on their site, your new password will still be vulnerable until the website’s server is fixed….so for the best protection, you should change your password right now, and then change it again once the website is fixed….but for most of us, simply changing it once the site is fixed is good enough.
UPDATE: (Please see our newest blog post on how to set up two-factor security!)
How do you know what sites you have logins at? The big sites might be obvious, but don’t forget the little ones too. You can review your stored passwords by reviewing what logins you have saved in your browser (Internet Explorer, Google Chrome, Mozilla Firefox).
As always, it’s good to pick a strong password, one that’s easy to remember, but not easy for someone else to guess. You can google search for good random word generators to get you started (I like this one)- but don’t use that verbatum….change up a bit. I’ve always been a fan of recommending addresses as passwords- they have numbers and memorable words, which are easy for you to remember, but harder for a computer to hack. Nothing is unhackable, and while “123password” is memorable, and “%$~ajsfsl198y78o” is not, nothing is completely safe.
Lastly, it’s a good time to consider using a password storage program. Many people have found that with the increase in passwords you need for work and home, password managers (specifically ones that sync with your smartphone) are helpful. Using programs like 1Password or Datavault are probably safe enough for personal use- provided you properly safeguard your smartphone in the event it is stolen.
Please pass this email on to friends and family!!