Post-Heartbleed: What should you be doing about passwords?

In the aftermath of HeartBleed, what should you really do?

Author: F-Secure Business Security Insider
Date: 07.05.2015
Read Time: 5 Minutes

The Heartbleed bug in OpenSSL hit hard this month, exposing millions of users, businesses and even some of the world’s most famous websites, to the potential for data loss and painful privacy leaks.

Camillo Särs has already written about how processes can help businesses respond when a critical software vulnerability strikes, and Jarno Niemelä has called for sysadmins to review their config standards at the same time as updating OpenSSL, but what I want to tackle today is passwords post-Heartbleed.

In the aftermath of the Heartbleed bug being made public there was some pretty bad advice offered about passwords.

One day, major news outlets told their readers that they should be changing all of their internet passwords…

The next? people were being told don’t change your passwords – at least not until vulnerable websites had confirmed that they had patched their systems and revoked their old SSL certificates.

It’s not surprising that an awful lot of people probably felt befuddled by the conflicting advice and weren’t sure where they stood.

Every day that passes, more websites and online services are fixing the Heartbleed bug on their systems – but there are likely to be some sites (particularly those run by smaller businesses) which remain vulnerable for some time to come.

If you want to easily determine which sites may be at risk, it may be worth installing a plugin like Chromebleed Checker for Google Chrome (for the Chrome browser) or Heartbleed Checker for Firefox (for Firefox) to your browser which attempts to determine if they are suffering from the Heartbleed bug.

If a website still appears to be vulnerable to the Heartbleed bug, it’s probably not a great idea to change your password for that site just yet. After all, there are plenty of people right now who are exploiting the Heartbleed flaw to scoop up sensitive information – it would be ironic if your password was harvested as you were trying to change it for a new one!

Instead, contact the apparently vulnerable website and ask them when they plan to resolve the issue.

For other sites though, changing passwords is a good option – as you don’t know whether your password might have been exposed since the Heartbleed vulnerability was accidentally introduced into OpenSSL back in late December 2012.

And here’s where there is an opportunity to improve things.

In the past, surveys have shown that something like 30% of all people use the same password for *every* website they access. That’s not just dangerous online behaviour – it’s risky for your business too.

Because if a password gets hacked in one place – whether it be via the Heartbleed flaw, or a phishing attack, keylogging malware, or database theft – then it could not only unlock all manner of different sites and accounts you own across the internet, but also might be the key for opening the door to your corporate network.

In short, you may not care very much about the security of an online forum you use to talk about your favourite soccer team, but you *will* care if a hack there results in your webmail, your corporate email, or PayPal account being compromised.

So, the first thing you should be doing with passwords post-Heartbleed, is making sure that they are all unique.

Furthermore, ensure that passwords are not just unique for each site you access – but also that they are hard to guess, and difficult to crack.

That means no more dictionary words, no more pets’ names, no more “987654321”.

At this point of the password security sermon, someone normally laughs at me and says “That’s a great idea. But how are we supposed to remember so many different, complex, gobbledygook passwords?”

And my simple answer is this: You can’t.

You have no chance of remembering lots of genuinely hard-to-crack, unique passwords for every website you access. And I don’t either.

I don’t know my email password, or my Twitter password, or my PayPal password, or password for any other of the 800+ different websites that I have created accounts for.

Instead, I use password management software – which not only remembers all my passwords for me (all I have to remember is one master password), but also generates secure, hard-to-crack passwords for any other account that I try to create online. It can even fill in the passwords as you access online services, which is a good thing as they often contain such wacky characters.

Good password management software like F-Secure KEY, 1Password and LastPass are simple to use, and can run on both your desktops and mobile devices, ensuring that you have all of your passwords at your fingertips whenever you need them.

If you and your users adopted password management software, the online world would be a safer place.

But you can go further than that.

How about, where available, enabling two factor authentication? 2FA isn’t just for banks anymore, it’s also available for many popular online services like Google, Facebook, Dropbox, and Twitter – meaning that a simple phished username/password isn’t going to be enough to help a malicious hacker gain access to your online accounts.

And how about protecting your company’s assets by enforcing stronger password policies across your organisation? Maybe, post-Heartbleed, it’s a good opportunity to tighten password protection across your company – ensuring that users are choosing stronger, harder to crack passwords for their accounts and not being the weak link in the chain which could lead to your network being compromised.

Security analyst,

Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon’s. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. In 2011 he was inducted into the InfoSecurity Europe Hall of Fame. Follow him on Twitter at @gcluley.

Post Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s