The Heartbleed internet vulnerability has left two-thirds of the internet vulnerable. The bug allows attackers to steal user names and passwords. Even popular sites like Google and Yahoo! were affected, though they've since patched the vulnerability.
While you can't stop hackers from attacking websites, you can take steps to protect your information. The first line of defense is to create secure and unique passwords for every site and service you use. The problem is, how are you supposed to remember all of these passwords? The answer is with password managers.
What's a password manager?
Password managers are programs that generate, store, and encrypt all your passwords. You'll just need to remember one, strong
master password to get into your password database.
By creating unique and randomized passwords with letters, numbers,
and symbols, you'll prevent compromising all of your accounts if your
password is stolen. If your Facebook account gets hacked, the hacker can
easily access your other accounts that use the same password.
Weak passwords with just letters and numbers are vulnerable to
brute-force attacks. Short passwords make these types of attacks even
easier.
Apps like 1Password and LastPass
are great options and act as much more than just password managers.
They can store sensitive documents, credit card information, and even
your software licenses.
But what if someone steals my master password?
This is highly unlikely and password managers make it difficult for
attackers to crack your master password. We spoke with Jeffrey Goldberg,
Defender Against the Dark Arts (that's really his title) at 1Password
about how the app protects master passwords. "Your 1Password data is
encrypted with keys derived from your Master Password. Nobody has any
access to those keys or your Master Password. If someone captures your
1Password data, they cannot decrypt it without your Master Password."
This is the same case with LastPass. Although LastPass syncs your
password database with its servers, it doesn't send or store any
encryption keys. All encryption keys are derived from your master
password and stored locally on your computer or device.
"We use SSL only as a second level of protection. Our core protection
is from storing keys locally," says LastPass CEO Joe Siegrist.
Do I really need to change all my passwords?
First check which sites you use that were affected by Heartbleed and make sure they've been patched. Mashable has a great list of popular sites and their reactions to Heartbleed. Make sure a site has
fixed the Heartbleed bug
before you change your password, otherwise you risk having your new
password exposed as well. Although there have been reports that
Heartbleed may be exaggerated, there's no harm in being just a bit
paranoid.
Cloudflare, a content delivery network, proposed a challenge
for people to steal private keys using a site with the Heartbleed bug.
Within hours, several people were successful in exploiting the bug to
steal private encryption keys, meaning the threat is very real.
"[Heartbleed] is not an exaggeration," says Siegrist. "Cloudflare has
proven that it is exploitable. "It's quite possible that usernames and
passwords were taken."
Changing passwords with a password manager is easy; the apps will
remember the new passwords and store them for you. LastPass makes it
even easier by alerting users which sites and accounts were vulnerable to the Heartbleed bug. They have a public website
where you can type in URLs to check if they were affected. Mashable has
compiled a great list of company responses to Heartbleed.
While there are no automation tools, both 1Password and Lastpass are working on this feature.
"You still have to find the password change form yourself and then
let 1Password assist you with creating and saving a new strong login.
Improving this process is something that were are always doing," says
Goldberg.
Still, a little bit of work now can prevent a big headache in the future.
What else can I do to protect myself?
Password managers are the first step you should take to protect your accounts. Be vigilant about security news and
pay attention to the websites you visit.
Phishing attacks, sites made to trick users into thinking they're
another site, are a popular way to steal user data. Never click on
suspicious links sent to you via email or over chat.
Password managers can help is this regard as well by taking users
directly to the correct site. Sometimes the smallest typo in a web
address can take you to a phishing site and you may not notice.
"People should try to take SSL/TLS warnings in their browsers more
seriously," says Goldberg. The lock in the URL bar in modern browsers
will show which sites are legitimate and are using encryption. Most
browsers will warn you if you're visiting a dangerous site but awareness
never hurts.
You should also enable two-factor authentication
on sites and services that support it. Two-factor authentication
basically requires two forms of identification: a password and a
randomly generated code.
Once you enter your password, you'll be required to provide a random
code, which can be sent to you via SMS or via an authenticator app like Google Authenticator. The codes will only work for a small window of time before they expire.
Facebook, Google, Twitter, Evernote, and many other companies provide
this extra layer of security. It may be a bit more work to get into
your account but it's worth it to keep your accounts secure.
Finally, make sure to keep all your computers, phones, and tablets updated.
Security flaws are often patched in system and software updates.
Apps like Avast! alert users about outdated software. Softonic for Windows also helps users keep their apps up to date.
For more information about Heartbleed and how you can protect yourself, check out our coverage below.
