As far as passwords go, the internet can be a painful environment as a consumer. The new Heartbleed bug is something of a disaster. There’s an expectation that your information is safe, especially with big companies like Adobe, Playstation, Linkedin, Steam – all of whom have been breached in some way in recent times. The Heartbleed bug is different because it exposes potentially millions of sites secured with OpenSSL. It’s possibly the worst security issue in the Internet’s history and to make matters worse it has been around for two years. Now it’s out in the open, it’s a race for everyone to fix the issue. This morning I received my first email (shown below) from a site taking action and warning their users- IFTTT.com – well done to them for acting fast and warning their users. At this point I’m hoping for and expecting a lot of similar emails from other services. [24 hour update]. Surprisingly few companies have emailed their customers. Mashable has published a good list of comprimised sites here: http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/. It’s currently unclear if Facebook has been compromised but it is advised that passwords be changed. This could have severe ramifications for agencies managing client accounts so this should be addressed urgently.
So what should you do? Here’s some good advice from thealtlantic
Simplest way to understand the problem: one of the protocols that many sites use to protect their own security, known as OpenSSL (for Secure Socket Layers), itself has a previously unknown bug. That bug, in place for the past two years, could in theory allow an attacker to harvest large numbers of name/password info from sites believed to be perfectly safe. Because exploitation of the bug would have left no trace, no one (except a potential hacker) yet knows how many names have been taken, or from where.
A patched OpenSSL version exists and is being deployed. Until then, what should you do? Here’s a five-point checklist, followed by explanations.
Change the passwords for the handful of sites that really matter to you. I’ll explain how you can do this in a total of ten minutes or less. Thisprobably isn’t necessary, but just in case…
Do not ever use the same password at two sites that matter to you. Ever. Heartbleed or not, this lowers the security level of any site with that password to the level of the sleaziest and least-secure site where you’ve ever used it.
Use a password manager, which can generate an unlimited set of unique, “difficult” passwords and remember them for you.
Use “two-step” sign-in processes wherever they’re available, starting with Gmail.
Read what happened in our family three years ago, when one of our Gmail accounts was taken over by someone in Africa, if you would like a real-world demonstration of why you should take these warnings seriously. It’s from an article called “Hacked.”
Personally in terms of password management I’ve been using Lastpass.com for a few years. It’s a service I recommend highly and has useful tools for making sure that you are safe and secure as possible. As you can see from the screenshot I took below from my account today, they not only store passwords but give very useful advice in matters like these showing you exactly what you need to do to resolve issues. (Thanks Lastpass!)