Protect against the Heartbleed bug: Brian Sierakowski of TeamPassword - Baltimore


Apr. 17, 2014 12:15 pm

Protect against the Heartbleed bug: Brian Sierakowski of TeamPassword

Roughly two-thirds of the Web is encrypted by OpenSSL, a technology that the world learned this month suffers from one major security gap: the Heartbleed bug, which is capable of stealing passwords and personal data.
This is a guest post from Brian Sierakowski, a cofounder of password-management tool TeamPassword, which allows users to securely store long, complex passwords.
Full disclosure: Baltimore staff are TeamPassword users.

Roughly two-thirds of the Web is encrypted by OpenSSL a technology that the world learned this month suffers from a major flaw nicknamed the Heartbleed bug.

When exploited, the Heartbleed bug enables a hacker to see sensitive data, like passwords and personal information, on the affected server. While many previously vulnerable websites such as Gmail, Dropbox and Facebook have since updated their services to protect from the Heartbleed bug, there is still a need for Internet users to protect themselves.


Brian Sierakowski.

Whenever a major security news story breaks it’s important, of course, to separate the hype from the threat. At this point it’s near impossible for the Heartbleed bug to live up to the level of hype, but that doesn’t diminish the threat.

Now that system administrators have patched their servers, there are a few ways you can improve your security.

Resetting Passwords

I’m sure you’ve received dozens of emails saying it’s a good idea to change your password, and it’s hard to say if changing all your passwords is overkill. With that said, no security professional would recommend against updating your passwords.


  • Immediately change the password on any site that sends you an e-mail. Then as you log into other services, make a habit of changing your passwords there too.
  • If you reuse the same password on many sites, stop. Update your password on every site you use that password on with a new, different password.
  • It helps a lot to have a password manager to keep track of your passwords in this process. If you’re managing your personal passwords, I’d recommend using the excellent 1Password. If you’re updating shared or business passwords, I’d recommend TeamPassword, a startup I cofounded.

Both solutions have random password generators. There’s no reason not to use a unique, complex password when you let your computer remember it for you.

Time-Based / Multi-Factor Authentication

Where possible, opt in to using two-factor authentication.

The Heartbleed bug made it possible to see a user’s username and password. Two-factor authentication (TFA) requires the attacker to also have access to your phone to log into your account.

  • TFA is a great idea on any service that has your payment information. If you remember the story of how Twitter handle @mat got hacked, or how Twitter handle @n was stolen, both could of been prevented with TFA enabled on seemingly harmless websites.
  • The same applies here. TFA throws in an extra piece of information. Even if a server leaks your six-digit code, it expires in 60 seconds and is useless.

Data Compromised?

In the follow-up e-mails you’ve seen since Heartbleed, it’s likely that they’ve said that there is no sign data has been grabbed by hackers. While this is true, it’s possible to exploit this bug to collect people’s personal information without leaving a trace. As such, it’s difficult for researchers to quantify how big of a problem Heartbleed has been.

  • On one hand, the attackers need a bit of luck — they’re taking a random segment of data out of the memory of an affected server. If that happened to contain your username and password, you were very unlucky.
  • The problem is that this bug has existed for several years, so a hacker who knew how to exploit Heartbleed to steal information could have done so many times. Each phishing trip they’ve taken into server data increases the odds that they get something useful.
  • The best course moving forward is constant vigilance. I would not recommend taking any service at their word that they were not compromised. I also wouldn’t jump to changing your bank account. This is where having a good understanding of what type of data you’re sending over Secure Sockets Layer (SSL) matters.

It can be hard to say what the best course of action is for you, so I’d like to offer to help. If you have any concerns or fears related to this security issue or others, please send me an e-mail and I’ll do everything I can to help get you back on track.

Projects: TeamPassword
Already a member? Sign in here


Gov. Hogan creates CISO position for State of Maryland

Congressman: ‘No evidence’ that NSA cyberweapon was used in Baltimore

Protecting passwords: Relatively simple solutions for a big cybersecurity risk



Building a data acquisition system? Don’t make this mistake


14 West

Senior Java Software Engineer

Apply Now

NYT: Tool used in cyber attack on City of Baltimore was developed at Maryland-based NSA

Mayor: City of Baltimore will have to rebuild some IT systems to recover from cyber attack

City of Baltimore ransomware attack affects home sales, payments and more



How SmartLogic accelerated these startups’ product growth trajectories

Baltimore, MD 21201

14 West

Senior Data Engineer

Apply Now
Baltimore, MD


Product Designer

Apply Now
Baltimore, MD 21201

14 West

Customer Success Associate

Apply Now

Sign-up for daily news updates from Baltimore

Do NOT follow this link or you will be banned from the site!