The Heartbleed Bug: What you need to know

In the past week, the media has been reporting about a serious vulnerability called the Heartbleed Bug affecting millions of websites. It was a programming mistake that has been publicly announced. It does not affect every website. But chances are you are using some popular websites that were vulnerable so you should change certain passwords.

What’s to worry about?

Your login credentials (username & password) may have been compromised when logging into supposedly secure websites that use SSL/TLS encryption.

According to the official Heartbleed website:

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

The easy way to recognize if a website has a login encryption is if the URL begins with https:// or if your web browser displays some sort of lock or shield icon by the URL field. Major websites (i.e., banks/financial institutions, email, social media, etc.) typically have that. Your standard small business website probably does not.

The Heartbleed Bug

What’s being done about it?

Businesses and web hosting companies have been busy patching affected servers.

Do I need to change my password(s)?

Yes and no. That’s the problem with this bug/exploit. You can change all your passwords now to make yourself feel comfortable, but you’ll likely need to change them again in a few weeks once more websites have been patched.

Personally I’d err on the side of caution and change all major admin accounts, email, financial, etc. It’s good to revise them periodically as a precaution.

Definitely change your…

  • Email accounts — Gmail, Yahoo Mail
  • Social Media accounts — Facebook, Pinterest, Instagram
  • File sharing accounts — Dropbox, Box
  • Domain registrar and web hosting — GoDaddy, Register.com
  • Misc. — Amazon Web Services, Wunderlist, Wikipedia, Netflix

Check your inbox. You’ll likely start receiving emails from various services explaining what they’ve done. Or go check their blogs.

You should also check this list of effected websites.

[Source Mashable]

This is a hassle. How can I make it easier?

Example strong password generatorSecurity is a necessity in our digital age. Password management software or “lockers” (i.e., Lastpass, 1Password) can help you securely store the info and generate random passwords. Then you can sync the data between your desktop/laptop, tablet and smartphone.

What’s a strong password?

  • At least 10 characters.
  • Combination of letters and numbers, upper/lower case. Can include unique characters if the website allows.
  • Don’t use a single word or a common phrase.

Most importantly, use a different password on every website. That way if one gets hacked, all your others won’t easily be compromised.

Learn more

Heartbleed official website
Easy to understand illustration
NYTimes Blog and this article.

I hope you find this helpful.
-Roland