Open as in OpenSSL?
Posted on Thu, 10 Apr 2014 in Security
As the dust settles around the Internet1, and all the sysadmins around the world is finishing the huge amount of work involved in cleaning up after the Heardbleed bug, we as users of the Internet now have an equally large work load2 ahead of us.
I'm not going to explain the nature of the bug as that have already been in great detail on numerous other sites3, what I am going to talk about is what "normal" people need to do after the techies have cleaned up.
Everything you have sent across the Internet for the past two years are potentially compromised, this includes ALL your usernames and passwords - Yes it is that bad - and if all your passwords are compromised, then you are compromised and are an easy target for any number of exploits and digital takeovers: Remember how Mat Honan got hacked.
"Catastrophic" is the right word.
On the scale of 1 to 10, this is an 11.
As you might have guessed the task at hand is changing ALL your passwords8 before someone else does, but after your service provider have fixed their systems9. Every site you use should have a unique password4, so if one password is compromised only one account is exposed. No one can remember all those passwords and nobody should try. Luckily for us there exists a ton of password managers to help us with this.
The two most prominent password managers are LastPass and 1Password with 1Password being my absolute favorite.
1Password is available for iPhone, iPad, Mac and even Windows and Android, so take your pick and start changing your passwords now!5
In 1Password on the desktop you can create a smart folder with all the password you haven't changed6 since you started your cleanup, further more you can sort this folder by frequency7 allowing you to change your most important accounts first. - But please remember to change you email10 account first, as this account can often be used to reset11 the password for your other logins.
Another cool feature in 1Password is the "Security Audit" section, which is a group of predefined smart folders that help you identify passwords that need to be changed12.
Remember to verify the SSL certificates
before updating your passwords.
If you want to know more about Heartbleed you can find additional information on these sites:
- The Heartbleed Bug
- Diagnosis of the OpenSSL Heartbleed Bug
- Bruce Schneier on Heartbleed
- Arstechnica
- Arstechnica, followup
- The Verge
- SSL Server Test
- The Guardian - Don't rush to update passwords, security experts warn
And for the geeks, here is a perl script you can use to test for the bug:
Update: In 1Password version 4.4 Agilebits added a new feature called Watchtower that automates all this for you.
Happy updating!
-
…there is still a lot of dust in the air and it'll probably continue to be there for a while. ↩
-
albeit a lot less technical. ↩
-
This is one of the better ;-) ↩
-
And have two factor authentication enabled if possible. I recommend using Authy on the iPhone for collecting all your TOTP tokens. ↩
-
But please wait until you are sure the service in question have been fixed, a good indicator for this is the date on the SSL certificate. ↩
-
I have a little over 600 passwords that needs to be changed. ↩
-
Please note that sites like Facebook won't show up here as you typically don't log in and out very often. ↩
-
…or at least the most important ones first… ↩
-
Everyone should have fixed their systems by now, if not you might consider changing provider. ↩
-
Yes, it is not just websites that are affected, all kinds of services use OpenSSL. ↩
-
Although the date based folders makes less sense when using 50 character password with a good mix of letters, numbers and symbols. ↩