You will notice, if you have done any research at all about
this HeartBleed issue, that from an end user’s point of view, “almost” everyone
recommends changing your passwords. I
say “almost” because there are a few articles out there recommending that you
don’t change your passwords; at least not immediately. There is good reason for them to recommend that
you delay the password change. This is
because the site for which you change your password may not yet have been
patched. If that is the case, then
changing the password before it is patched means you will need to go back and
change it again later because the risk of it being exposed is still there.
So, what should you do? Change it, or don’t change
it? Below are my recommendations for
dealing with this HeartBleed/Password dilemma in as logical a way as I can
dream up. I hope it helps. I also recommend that you read my other post
regarding password management.
My suggested approach for changing passwords in the wake of
the HeartBleed bug:
1)
I changed my personal email password FIRST, because many password reset
methods for various websites use it when you “forget” your password for their website. Hackers know this, and so if they can get
your email password, they can proceed to change passwords at your financial
sites if they wish. This is why I always
recommend you choose a unique strong password for your email that you DO NOT
use anywhere else.
a.
First, I tested the URL associated with my
personal email account (I happen to use Gmail) for the HeartBleed vulnerability. I went to the HeartBleed test site http://filippo.io/Heartbleed/ and entered the Gmail URL ( mail.google.com ) and was informed that
the site is not affected by the vulnerability.
Good. That means it is now safe to log in and change my password. So that’s exactly what I did. I opened my password manager (KeePass) and
edited my email account entry. I had the
KeePass password management application auto-generate a new strong password for
me and saved the entry. I accessed my
Gmail account profile, and updated it with this new password.
b.
If, like me, your Smartphone uses this primary
email account (I use Android which uses Gmail for MANY things) you need to shut
down the email application on the phone, restart it, and enter the new password. This can be done through the application
manager settings, or more simply by rebooting your phone. I don’t have an iPhone, but I imagine the
process is similar.
2)
I organize my passwords into groups/categories within
KeePass such as “Credit Card Accounts”, “Billing Accounts” (like phone company,
electric company, water company, etc.),” Social Media Accounts”, etc. I tend to
have a different password for every site.
As a result, if any single one is compromised, only that site is
affected (unless my email password gets hacked).
a.
For each of these, perform the same test for the
HeartBleed vulnerability at http://filippo.io/Heartbleed/
BEFORE logging into any of the
sites.
b.
If the test indicates they are OK, then I go in
and change my password. If not, then I
can either
i.
Change the password now to something I won’t
use anywhere else, and change it again later when it is OK, or
ii.
Avoid using the site until the test comes back
OK and I can safely change the password
Dealing with this bug is going to take companies a long time
in some cases because they have so many servers to fix. The key is to remain calm, patient, and
remain aware of what’s happening with your financial accounts.
One last comment:
PLEASE do not ever use the same password(s) you use at work for any of
your personal accounts.
No comments:
Post a Comment