Ask Deemable Tech: Heartbleed, Passwords And You

Apr 17, 2014

You may have heard in the news recently about a dangerous internet bug known as "Heartbleed" which could be putting your personal information at risk. Don't worry, Deemable Tech has everything you need to know to protect yourself.

What is Heartbleed?

Heartbleed is a “vulnerability," or a hole in the elaborate security systems in place around the web. Imagine if there was one company that made over half the locks on doors in the world. Now imagine that someone discovered that all those locks could be picked easily and without anyone noticing. That frightening situation is basically what has happened on the internet.

To put it simply, Heartbleed is basically a programming error that makes many secure websites less secure. When you visit a page that asks for private information, such as a password or a credit card number, that page almost always has a lock icon beside its web address. This means that the page uses SSL, the technology that secures web pages with sensitive information. A popular and widespread version of SSL is OpenSSL, which is used by almost 60 percent of all websites. OpenSSL is where this bug was found.

On some versions of this system a small but critical error made it possible for a hacker to "snoop" the encrypted data being passed back and forth without being detected. Experts estimate that this problem has existed for the past two years.

While some internet security threats are overblown, this one is real. World-renowned internet security expert and author Bruce Schneier recently stated that "on a scale of 1 to 10, this is an 11.”

What Can I Do About It?

The bad news is that there is not a lot that ordinary users can do about this. It is up to the companies that run the compromised websites to fix it. Patches are available, and IT administrators world-wide should be scrambling to implement them.

For the moment, the best thing you can do is to avoid compromised websites that have not yet been fixed. How do you know if a site is compromised? You can check it by entering the address of the site at this page: http://filippo.io/Heartbleed/

Major websites that are known to be SAFE and were UNAFFECTED include:

  • Twitter
  • Amazon
  • Microsoft (and sub-sites)
  • AOL
  • Paypal
  • Most banking websites

Major websites that are SAFE but had been PREVIOUSLY AFFECTED include:

  • Google
  • Gmail
  • YouTube
  • Facebook
  • Yahoo!
  • Instragram
  • Pinterest
  • OKCupid
  • GoDaddy

Mashable has a long list of sites that were affected with up-to-date information about their security status.

Should I Change My Passwords?

Yes, as long as the website you are changing your password on has been fixed. If you change your password on a site that is still vulnerable, hackers can simply grab your new password! At this point, however, it should be safe to change your password virtually everywhere.

Your best bet to protect yourself is to use separate passwords for every website.

We have long preached the virtues of password managers. These are programs that can generate truly random passwords and remember which password goes with which website for you. It used to be just a good idea to use a password manager, but now you need to seriously consider using one.

The password managers we recommend are LastPassDashLane and KeePass. LastPass and DashLane store your passwords in a very secure cloud so you can access them from all your computers and mobile devices. KeePass stores them on your hard drive. Use whichever feels more comfortable to you, but please use one!

If you are dead set against password managers, you should still try to use different passwords for different sites. Your Amazon password should be different from your email password, which should be different from your bank password. To help you remember these passwords, consider writing them down and storing them somewhere safe at home - like, maybe in a safe!

What Else Can I Do?

Become better educated about internet security! With so much of our lives now stored online, this is a topic that affects virtually everyone. Knowing good password practices, like how to make a hard-to-guess password and that you should have separate passwords for separate websites, is critical.

Check websites that you regularly visit for the Heartbleed vulnerability using the link above. If you find that one has problems, you could try emailing their IT administrators to inform them and find out what steps are being taken. In the meantime, stay off of that website. Once the hole is plugged, log in and change your password.

Keep an eye on bank statements and credit card information for unusual activity. Heartbleed was discovered by security researchers. We have no proof that hackers have been using it, but the possibility exists. That means you need to take precautions to protect yourself in the digital world.

For more great tech ad​vice, download the Deemable Tech app (for iPhone and Android), and listen to Deemable Tech's full length podcast at Deemable.com. You can also follow them on Twitter @Deemable.