Friday, April 18, 2014

Yes, Virginia, You Need to Change Your Password(s)

Dear Madame L,

All these people are saying stuff about something called Heartbleed and how I need to change all my passwords. Really? Why?



Dear Virginia,

Yes, really. You need to change your passwords on every single Web site, service app, and device you use which may have been affected by the Heartbleed "bug" (not a "virus"---and Madame L can tell you more about that, if you're interested; just ask through a Comment).  If you want to know which sites have been affected, you can find out here.

If you don't want to check but still want to be sure, just go to every Web site where you have logged in, over the past two years, and change your password.

Why? Because this bug affects the so-called "OpenSSL cryptographic software library," which is used in most supposedly secure Web sites. Heartbleed allows stealing the information protected by passwords, including your address and other contact information, credit card numbers, and Social Security number.

According to the Washington Post, "Estimates of the severity of the bug’s damage have mounted almost daily since researchers announced the discovery of Heartbleed last week. What initially seemed like an inconvenient matter of changing passwords for protection now appears much more serious. New revelations suggest that skilled hackers can use the bug to create fake Web sites that mimic legitimate ones to trick consumers into handing over valuable personal information."

Because it's such a huge problem and fixes have been slow in coming, you will want to change all your passwords again in a week or two. And then again, just to be safe. And then, you should be changing all your passwords every two months. In fact, federal employees and many in the private sector are required to change their work-computer access passwords that often.

For more information on Heartbleed and how you can respond to its threat, Norton has provided lots of details in a very readable and understandable format. Here are some of them:
Due of the complex nature of this vulnerability, changing your passwords before sites update their version of OpenSSL won’t fully protect you. Here are some simple steps you can take as a precaution:

Change your passwords on any website that contains sensitive information about you. You should first confirm that the site does not contain the Heartbleed vulnerability by using this tool.

If you’ve reused passwords on multiple sites, it’s especially important to change them. To change your Norton Account password, visit and click Account Information.

Beware of phishing emails and type website addresses directly in your browser instead of clicking on a link through an email.

Monitor your bank and credit card accounts for unusual activity.

It may take an extended period of time for all the sites affected by Heartbleed to fix this vulnerability. To determine if a website is vulnerable to Heartbleed using this tool. We recommend you only exchange personal or sensitive information such as your credit card number if the site is not affected by Heartbleed.

Madame L

1 comment:

AskTheGeologist said...

Best explanation I've seen in the shortest possible space. Thanx.