When exploited, the Heartbleed bug enables a hacker to see sensitive data, like passwords and personal information, on the affected server. While many previously vulnerable websites such as Gmail, Dropbox and Facebook have since updated their services to protect from the Heartbleed bug, there is still a need for Internet users to protect themselves.
Whenever a major security news story breaks it’s important, of course, to separate the hype from the threat. At this point it’s near impossible for the Heartbleed bug to live up to the level of hype, but that doesn’t diminish the threat.
Now that system administrators have patched their servers, there are a few ways you can improve your security.
I’m sure you’ve received dozens of emails saying it’s a good idea to change your password, and it’s hard to say if changing all your passwords is overkill. With that said, no security professional would recommend against updating your passwords.
- Immediately change the password on any site that sends you an e-mail. Then as you log into other services, make a habit of changing your passwords there too.
- If you reuse the same password on many sites, stop. Update your password on every site you use that password on with a new, different password.
- It helps a lot to have a password manager to keep track of your passwords in this process. If you’re managing your personal passwords, I’d recommend using the excellent 1Password. If you’re updating shared or business passwords, I’d recommend TeamPassword, a startup I cofounded.
Both solutions have random password generators. There’s no reason not to use a unique, complex password when you let your computer remember it for you.
Time-Based / Multi-Factor Authentication
Where possible, opt in to using two-factor authentication.
The Heartbleed bug made it possible to see a user’s username and password. Two-factor authentication (TFA) requires the attacker to also have access to your phone to log into your account.
- TFA is a great idea on any service that has your payment information. If you remember the story of how Twitter handle @mat got hacked, or how Twitter handle @n was stolen, both could of been prevented with TFA enabled on seemingly harmless websites.
- The same applies here. TFA throws in an extra piece of information. Even if a server leaks your six-digit code, it expires in 60 seconds and is useless.
In the follow-up e-mails you’ve seen since Heartbleed, it’s likely that they’ve said that there is no sign data has been grabbed by hackers. While this is true, it’s possible to exploit this bug to collect people’s personal information without leaving a trace. As such, it’s difficult for researchers to quantify how big of a problem Heartbleed has been.
- On one hand, the attackers need a bit of luck — they’re taking a random segment of data out of the memory of an affected server. If that happened to contain your username and password, you were very unlucky.
- The problem is that this bug has existed for several years, so a hacker who knew how to exploit Heartbleed to steal information could have done so many times. Each phishing trip they’ve taken into server data increases the odds that they get something useful.
- The best course moving forward is constant vigilance. I would not recommend taking any service at their word that they were not compromised. I also wouldn’t jump to changing your bank account. This is where having a good understanding of what type of data you’re sending over Secure Sockets Layer (SSL) matters.
It can be hard to say what the best course of action is for you, so I’d like to offer to help. If you have any concerns or fears related to this security issue or others, please send me an e-mail and I’ll do everything I can to help get you back on track.