4/15/2014

It's time you start using a password manager

It's time you start using a password managerThe Heartbleed internet vulnerability has left two-thirds of the internet vulnerable. The bug allows attackers to steal user names and passwords. Even popular sites like Google and Yahoo! were affected, though they've since patched the vulnerability.

While you can't stop hackers from attacking websites, you can take steps to protect your information. The first line of defense is to create secure and unique passwords for every site and service you use. The problem is, how are you supposed to remember all of these passwords? The answer is with password managers.

What's a password manager?

1password for Mac
Password managers are programs that generate, store, and encrypt all your passwords. You'll just need to remember one, strong master password to get into your password database.
By creating unique and randomized passwords with letters, numbers, and symbols, you'll prevent compromising all of your accounts if your password is stolen. If your Facebook account gets hacked, the hacker can easily access your other accounts that use the same password.
LastPass secure password example
Weak passwords with just letters and numbers are vulnerable to brute-force attacks. Short passwords make these types of attacks even easier.
Apps like 1Password and LastPass are great options and act as much more than just password managers. They can store sensitive documents, credit card information, and even your software licenses.

But what if someone steals my master password?

This is highly unlikely and password managers make it difficult for attackers to crack your master password. We spoke with Jeffrey Goldberg, Defender Against the Dark Arts (that's really his title) at 1Password about how the app protects master passwords. "Your 1Password data is encrypted with keys derived from your Master Password. Nobody has any access to those keys or your Master Password. If someone captures your 1Password data, they cannot decrypt it without your Master Password."
LastPass for Chrome
This is the same case with LastPass. Although LastPass syncs your password database with its servers, it doesn't send or store any encryption keys. All encryption keys are derived from your master password and stored locally on your computer or device.
"We use SSL only as a second level of protection. Our core protection is from storing keys locally," says LastPass CEO Joe Siegrist.

Do I really need to change all my passwords?

First check which sites you use that were affected by Heartbleed and make sure they've been patched. Mashable has a great list of popular sites and their reactions to Heartbleed. Make sure a site has fixed the Heartbleed bug before you change your password, otherwise you risk having your new password exposed as well. Although there have been reports that Heartbleed may be exaggerated, there's no harm in being just a bit paranoid.
Cloudflare, a content delivery network, proposed a challenge for people to steal private keys using a site with the Heartbleed bug. Within hours, several people were successful in exploiting the bug to steal private encryption keys, meaning the threat is very real.
"[Heartbleed] is not an exaggeration," says Siegrist. "Cloudflare has proven that it is exploitable. "It's quite possible that usernames and passwords were taken."
LastPass Heartbleed checker
Changing passwords with a password manager is easy; the apps will remember the new passwords and store them for you. LastPass makes it even easier by alerting users which sites and accounts were vulnerable to the Heartbleed bug. They have a public website where you can type in URLs to check if they were affected. Mashable has compiled a great list of company responses to Heartbleed.
While there are no automation tools, both 1Password and Lastpass are working on this feature.
"You still have to find the password change form yourself and then let 1Password assist you with creating and saving a new strong login. Improving this process is something that were are always doing," says Goldberg.
Still, a little bit of work now can prevent a big headache in the future.

What else can I do to protect myself?

Password managers are the first step you should take to protect your accounts. Be vigilant about security news and pay attention to the websites you visit.
Phishing attacks, sites made to trick users into thinking they're another site, are a popular way to steal user data. Never click on suspicious links sent to you via email or over chat.
Password managers can help is this regard as well by taking users directly to the correct site. Sometimes the smallest typo in a web address can take you to a phishing site and you may not notice.
Chrome browser lock
"People should try to take SSL/TLS warnings in their browsers more seriously," says Goldberg. The lock in the URL bar in modern browsers will show which sites are legitimate and are using encryption. Most browsers will warn you if you're visiting a dangerous site but awareness never hurts.
You should also enable two-factor authentication on sites and services that support it. Two-factor authentication basically requires two forms of identification: a password and a randomly generated code. Once you enter your password, you'll be required to provide a random code, which can be sent to you via SMS or via an authenticator app like Google Authenticator. The codes will only work for a small window of time before they expire.
Dropbox two factor authentication
Facebook, Google, Twitter, Evernote, and many other companies provide this extra layer of security. It may be a bit more work to get into your account but it's worth it to keep your accounts secure.
Finally, make sure to keep all your computers, phones, and tablets updated. Security flaws are often patched in system and software updates.
Apps like Avast! alert users about outdated software. Softonic for Windows also helps users keep their apps up to date.
For more information about Heartbleed and how you can protect yourself, check out our coverage below.