It was about time anyways. I’ve been using the same 2 or 3 passwords and variations thereof on all the sites that I use for years. I’ve never had any of my accounts hacked… yet. But Heartbleed served as a wake-up call.
I recall the Adobe data breach from last year, which had ~150 million accounts compromised. I checked, and my email was on the list. I don’t remember the exact password that I used for that account (like many accounts, I probably had to sign up due to the vendor compelling me and never used it thereafter), but I’d bet that it was my “usual”, which I’ve used on dozens of other sites. But like most users, I said “meh”, and forgot about it. I’ll probably be fine, right?
Then came all the NSA revalations, with talks of how much of the encryption on the internet has been subverted by them, among many other things. Scary, right? But most people would shrug it off, thinking that they’re safe because they’re not a terrorist. One’s attitude changes, however, when the vulnerability is staring them in the face. First there was the, in my opinion, deliberate iOS bug, which I’ve written about previously. Now, there’s the (probably accidental) Heartbleed bug. The NSA says it didn’t know about it and hasn’t been exploiting it… I call BS on that! Based on how it works, I’d say that it is exactly what the NSA was referring to when it was discovered they subverted much internet encryption!
Initial estimates were that up to 66% of all web servers were affected, while more recent estimates have the number down to 17%, if I read the article correctly. The percentage of internet users affected, compared to the percentage of servers affected? I’d say the number is much higher. Let’s take a look at just a few of the sites that were affected…
- Yahoo and associated services
- Google and associated services
How many of you use one or more of those sites? All of you? Congratulations, you’re hosed! And that’s not counting the countless other services out there. The good news is that most major financial sites appear to have been spared, but if you share passwords between sites, those are as good as compromised too. One could argue that the bug has never actually been exploited, but can you really be sure of that? Evidence has been found that suggests the bug may have been in use up to 5-6 months before its public disclosure. Additionally, apart from a few trace signatures in some logs (if they are enabled and retained), the exploit is undetectable.
A few years ago, before all of the NSA revalations, I may have once again shrugged my shoulders at this. After all, my password was great and super strong and super awesome (not really), and there’s no way that my password would ever be stored in plaintext or in an unsalted hash by a service (yeah right), and the hackers would give up trying to crack my password and go after all of the grandmas with Password123. It’s easy to delude yourself. Now, I’m righteously paranoid. This is the shit that the NSA’s been up to, and I’m not comfortable with the chance of having all of my login credentials in their hands. It’s time to take action!
Here are some basic guidelines on proper password management:
- Passwords of 8 characters or less are worthless
- Try using the “correcthorsebatterystaple” method to create long, yet memorable passwords. All else being equal, longer passwords are better. No need to go crazy with special characters
- Start by auditing which services that you use are affected. Here is a starter list for Heartbleed, which includes the major sites that I mentioned earlier. Consider any other site with the same password as those also compromised. You don’t need to be exhaustive at first, but make sure you include important sites such as your email, bank logins, cloud services, and even services such as Logmein
- Use a different password for each important site, such as your bank account, primary email, or cloud storage (that’s 3 different passwords, if you’ve been counting. Don’t reuse the same one!)
- For sites of moderate or low importance, it is arguably acceptable to use the same password. Be realistic. You are not a computer and you cannot remember dozens of different passwords
- Use a password manager to keep track of all your new passwords. I’ve been using KeePass for about a week, and I like it so far. It has an iOS app too, which can also pull your password database from Dropbox if you wish to sync it amongst your devices. It can also generate random gibberish passwords (I prefer the CHBS method as I want to be able to memorize my passwords), as well as auto-fill your credentials on websites