Like many of you, I have been following the news reports on the Heartbleed bug to understand what it is and how it effects me as well as my clients. So, here is a quick synopsis of the situation and what you need to do today. Seriously, set some time aside in your schedule and take care of this.
- Basically, any website using an https:// could have been affected. So think of the websites and services that you login to, and they are most likely using the OpenSSL protocol behind that https:// URL. That’s how big this is.
- To see if a https:// website you have used over the last 2 years, could have used the compromised OpenSSL, plug it into this tool: https://lastpass.com/heartbleed/. This will tell you if you were possibly at risk of exposing your username and password for that account.
- Good news: a patch for the Heartbleed bug was released in the v1.0.1g of OpenSSL on 4/7/2014.
- Now, BEFORE you login to one your compromised accounts, you need to first test whether they have applied the patch to fix the problem, or else you could be giving your login information away again. To do this, go to http://filippo.io/Heartbleed/ and test the URL.
- So, if a site was possibly affected (step #2) and is now safe (#4) then CHANGE YOUR PASSWORD for that site. Here is a list of sites and services with recommendations of whether you should change your password today (4/9/2014): The Heartbleed Hit List: The Passwords You Need to Change Right Now.
- Still confused about whether you should update that password now? Contact the service directly (without logging in) or do an internet search and only trust reliable sources (major publications, etc.) on the status.
When changing your passwords, you should seriously consider using a password encryption tool such as KeePass or refer to PC Magazine’s recent The Best Password Managers review for a solid list of tools. Don’t put them in a Google doc or a text file on your desktop, really, don’t. These password tools will encrypt (secure) the passwords for you, help you generate safe passwords, can auto-fill them to avoid screen scraping issues, and some are accessible across multiple devices.
If you are not comfortable trusting your passwords to an encrypted password manager, here is a video and devising a system to create passwords that are both safe and that you can always remember: How To Create Passwords You Can Remember.