Heartbleed, the major flaw that left passwords and other user information vulnerable to hackers this week, wasn’t the first security flaw to affect the Internet. And it won’t be the last. Security failures, hacks, leaks, and vulnerability discoveries are inevitable. As is the typical reaction: When news of a hack surfaces, we worry, and then some of us spring to action, generally changing passwords on affected accounts — especially if the affected sites force us to.
But you should change your passwords regularly, even if you aren’t facing down a flaw like Heartbleed. What we need is a National Change Your Passwords Day so you don’t forget. Here’s why.
Known unknowns and unknown unknowns
One thing Heartbleed has shown us is that there are hacks and attacks, which sometimes we hear about and react to, and then there are the more worrisome discoveries of security flaws, which are worse.
Heartbleed was a discovery, not an attack. A team of security engineers discovered a flaw in a version of common software, OpenSSL, that many major sites (and many more minor ones) use to protect and encrypt users’ data. This flaw had existed for over two years; it was only now discovered.
The discovery of this flaw doesn’t necessarily mean that bad guys have been exploiting it, and it doesn’t point to any specific attacks. Rather, it means that if anyone else (like, say,the NSA) also discovered this bug between the time when it was first included in the software, and when the Heartbleed discovery team told the world about it, they could have been using it to access or attack your data.
There is no way to completely protect yourself from threats you don’t know about. But you can and should take precautions. The most obvious precaution: Limiting your exposure to individual hacks by making sure you have a unique and strong password for each different online account. I can’t stress enough how important it is to have different passwords for different accounts. It’s more important than having strong (unguessable) passwords, in fact. The only reasonable way to manage all these different passwords is with a password manager. I wrote a primer on these apps back in February.
Read it now: Fix Your Passwords.
Now, you can’t know when a flaw like Heartbleed exists until someone discovers it, and having a unique and strong password on an account doesn’t mean that another flaw isn’t leaving you exposed anyway, even if you’re doing all the right things. So one more thing you can do is change your passwords regularly.
Since changing a lot of passwords is a colossal pain the neck (and I mean massively inconvenient), even with a good password manager to help you, perhaps it’d be best if you set aside a big chunk of time to do it. Like, a day. Maybe, in fact, a day off from work. A paid day off from work. Hey, I can dream. And keeping people (more) secure will actually save the country money, at least compared to the potential economic catastrophe of a real, pervasive, and exploited breakdown in Internet security.
Another thing you might want to do is enable two-factor authentication (also called two-step authentication) on sites that support it, like Google and Dropbox. Two-factor authentication makes it much more difficult to sign on to an account unless you have the account owner’s smartphone with you, on which a second, always-changing password (the second factor or step) is displayed. We’ll have more on two-factor authentication in a future article.
So when is this new National Change Your Passwords Day? I’d propose we use the transition from Standard to Daylight time as the day for this, since more clocks are setting themselves these days and we have all that extra time to mind our technology. In fact, we should do password resets more than once a year, so let’s make it a twice-yearly holiday and use the transition from Daylight to Standard, too.
So what’s been stolen? Maybe nothing. Maybe a lot
So here’s the bad news: Even regularly changing your passwords won’t completely protect you from unknown theft of your personal data. It protects you a bit more, but not completely. It can take just microseconds for a hacker’s system to exploit a security flaw on a service you use. But the more often you change your locks, the less likely a stolen key will to work in them.
If you’ve been hacked, and then you change your password, you’re protecting yourself against future intrusion into your account. That’s very good and necessary. But the digital goods you want to protect may already have been stolen. In particular, your credit card numbers are vulnerable, if you save those numbers in online accounts.
You think it’s inconvenient to change passwords? Try changing credit card numbers. You can’t just call your issuers and ask for new cards just to be safe. You can report your card stolen, in which case they’ll immediately deactivate your existing card send you a new one. That might take a few days, and of course any automatic payments set up on that card will fail the next time they come due.
And let’s not talk about trying to change other financially-relevant data, like a social security number. (Although if an online or commerce site other than a financial institution asks for a social security number, you would be wise to wonder why.)
The good news when it comes to Heartbleed (yes, there is some), is that, as far as we know, no actual banks or brokerages used the OpenSSL software that Heartbleed attacked.
A bit more on password managers
Once more, with feeling: A password manager can improve your online security while also removing a lot of the hassle of keeping different passwords. However, password managers themselves are protected by passwords, which means they could potentially become vulnerable to a Heartbleed-like vulnerability.
The good news (again!) is that of the three password managers I recommend — Lastpass, 1Password, and Dashlane — none are directly vulnerable to the Heartbleed flaw.
I say, “directly” because Lastpass and 1Password both have some small exposure. Lastpass uses OpenSSL to transmit data, but it encrypts the data before the OpenSSL software sees it, so Lastpass claims they’re not vulnerable to Heartblleed attacks.
1Password has a slight possibility of a flaw if you use its synchronizing service, 1PasswordAnywhere, with Dropbox to keep your passwords in sync across devices. If you’re in that camp, there’s a small chance that a possible Heartbleed vulnerability on Dropbox could allow an attacker to replace your 1Password sync file with a malicious version of your file, causing havoc across your 1Password account (while not actually stealing your passwords).
So if you are using one of these password managers, you might want to read their blog posts about Heartbleed. Here they are: Lastpass | 1Password | Dashlane.
The main takeway: As part of the Hearbleed password panic, it’s a good idea to change your most important passwords now, starting with your password manager, if you have one. And then change it again, perhaps the next time National Change Your Passwords Day rolls around and you’re changing all your other critical passwords.
And if you don’t have a password manager, get one now.
The Passwords You Need to Change Now
Weekend Project: Fix Your Passwords
The Hearbleed site (the source of the discovery)