Grab It Now
HeartBleed - What you can do for it?
In the week since researchers disclosed the Heartbleed vulnerability in OpenSSL, there has been a lot of discussion about what kind of information attackers can actually obtain by exploiting the bug. Turns out quite a lot.
There's nothing you, personally, can do to fix the problem. The owners of servers running the vulnerable software need to take action. Specifically, they have to update to the non-vulnerable latest version, revoke all the site's security keys, and then re-issue keys. However, you can do something about your exposed passwords; change them all!
It's true that not all of your secure sites are vulnerable, though experts estimate that as many as two-thirds of all servers may have the bug. You can check any particular domain using this test. The test offered by LastPass gives even more information. For example, a site that uses OpenSSL and regenerated its security certificates in the last two days may well have been vulnerable before.
You'll want to go through and test all of the secure websites you use. Make a note of any that are currently vulnerable; you'll have to revisit those. Actually, think carefully about the vulnerable ones. Do you truly need and use them? If not, consider erasing your profile and all other information and closing the account.
Change Them All!
It doesn't matter whether your current password is "password" or "ijfnu90485*((*jnid@##." No matter how strong it is, the bad guys can pull it out of the buggy server's memory. Whatever the password, they've got it, along with your username and any secure data you transmitted. In addition, any other sites where you used the same password are also exposed.
Your secure sites fall in to three categories, those that are still vulnerable, those that were vulnerable in the past, and those that were never vulnerable. It's absolutely essential to change your password on those that were vulnerable in the past. It couldn't hurt to change those that seem like they were never vulnerable, especially because you can't be sure. As for those that remain vulnerable, you're going to have to change those again, but by making a clean sweep now and ensuring you have no duplicate passwords, you'll make that second round of password updates easier.
How to Do It
Going online without a password manager is risky business. If you don't already use one, now's the time to start.
LastPass offer a password analysis report that identifies weak and duplicated passwords. From the report, you can click a link to visit a site and change the password; the password manager will pick up the change. Don't bother thinking up a password. Let the password manager generate something nobody could ever guess.
It's Not Over
Changing the password on sites that are still vulnerable to the Heartbleed bug at least ensures that you're not exposing other sites that use the same password. However, the brand-new password is totally at risk. If possible, stay away from these sites until they get fixed. And when they do, change the password once again. At least you'll have the help of your trusty password manager to do the job.
If you like this post, please like us on Facebook too.