It’s a dangerous world out there, now made a little scarier thanks to Heartbleed.
A small coding error in OpenSSL, a massively adopted open-source protocol, the Heartbleed flaw managed to go undetected for two years as it tore security holes across huge swathes of the Internet.
That’s enough to strike fear into the heart of any modern Web-using person—which is practically everyone in the developed world. And yet, most people I’ve spoken to still haven’t changed their passwords or taken other steps to make hackers’ jobs more difficult.
If you’ve also been putting this off, or simply don’t know where to start, dedicate a little time this weekend to this checklist of tasks that can help protect you against Heartbleed.
Stopping The Bleed
Anxiety has been running high ever since the security flaw was made public on April 7. In less than two weeks since then, legions of Website administrators, app developers, security pros and others have been scrambling to address this mess. Although some companies say they’ve now patched it, plenty still haven’t. It will likely take years before the Heartbleed threat can be considered largely neutralized.
Until then, users find themselves in a weird place. Since the onus is on tech purveyors to lock things down, there’s not much individuals can do—except make it harder for hackers to target them and actually use that data. That’s why experts urge people not to frequent Heartbleed-vulnerable sites, and change their passwords across their various accounts.
This suggestion sounds reasonable; unfortunately, trying to remember every site, service and app you use and manually checking them, one by one, before changing logins is a tedious process. And, in itself, it’s prone to human error. After all, there’s bound to be some site or service you forget about.
Sure, you can go to extremes by locking everything down—you can even take yourself totally offline—but realistically, that’s not going to work for most of us. So let’s focus on the simpler things you can do with the biggest security payoff.
Step 1: Make A List Of Important Sites And Accounts
Start by corralling your top-priority accounts—anything that touches your financial or medical data, email and messaging accounts, online identities (including social media), or anything else you wouldn’t want strangers to access.
- The sites that come to mind first will likely be your most frequently used applications, which means they’re probably important to you in some way, so jot those down.
- Browse through your desktop and phone applications, and call out any apps or accounts that sync your data to the Internet. (Note: Intranets, VPNs and other proprietary cloud services may also be vulnerable, but you’ll want to follow administrators’ guidelines for that. Don’t include those in this list.)
- If you’re an Apple OS X user, look at the apps and sites listed in Keychain, which holds usernames and passwords. The Keychain is located in the Utilities folder within your Applications folder.
- If you use a password manager, take note of those accounts as well. (If you don’t use one, see below.)
- Parse your browser bookmarks, for Web accounts you access directly.
Basically you want to consider any app, Website or service that requires login credentials and goes to, or through, the Internet. Keep in mind that some store passwords and log you in automatically.
Step 2: Check Which Apps or Sites Are Vulnerable To Heartbleed
See also:7 Heartbleed Myths Debunked
Now that you’ve compiled your list of sites and services, you’ll need to check which accounts are actually vulnerable to this bug. Then you’ll go through and change passwords. It sounds straightforward, but it’s not, partially because there’s disagreement about how to actually do this.
Some experts say you should change all your passwords immediately. Emmanuel Schalit, chief executive of password management service Dashland, urged users to quickly change their passwords for all critical accounts—like banks, PayPal and email—and then change them again once those sites actually plugged the holes.
Others—like Rik Ferguson, vice president of security research at Trend Micro—advise holding off on changing passwords for affected sites until they’ve implemented the fix.
Ferguson tweeted that changing one’s password “while the vuln[erability] is probably under widespread exploitation isn’t a good suggestion,” adding, “Changing now increases your risk of exposure in the short term as the vuln[erability] is now public.”
The latter suggestion appears to be the predominant wisdom, but either way, it’s necessary to check each one of your important sites and note which are vulnerable to this bug. CNET offers an ongoing Heartbleed status list for popular sites, but there are other tools that can help:
- Browser users can install extensions like Chromebleed (Chrome) or Heartbleed-Ext (Firefox) or Netcraft (Chrome, Firefox, Opera), to see if sites they’re visiting are affected and get browser notifications.
- Android users can check on their device’s Heartbleed risk using Lookout’s Heartbleed Detector app, or use Bluebox Heartbleed Scanner to evaluate both the operating system and installed applications. There’s also a Heartbleed app for Windows Phone, though it’s simply a URL checker. Apple says iOS is not vulnerable to Heartbleed.
- Check URLs directly with an online Heartbleed checker, like the ones by Filippo Valsorda or LastPass.
For Android users, we may just be scratching the surface. According to Google, most gadgets that run its mobile operating system are safe from Heartbleed exploitation, except those that run Android 4.1.1. But Lookout claims that a few Android 4.2.2 devices could be affected.
A representative from the company, which compiled data from 100,000 of its app users, told me that 5.4% of users running 4.2.2 had the affected version of OpenSSL with Heartbeat—the specific extension that carries the Heartbleed flaw—enabled. These mobile devices could be running custom versions of the Android software, but for peace of mind, you can use Lookout or Bluebox’s mobile apps to check your handset.
Step 3: Change Your Passwords
The final step is changing your passwords for every site that’s no longer vulnerable to Heartbleed, especially those were initially at risk but have now patched the hole.
There are three common ways to deal with passwords, but the first two of these are incredibly insecure: Many create the same easy-to-memorize login for every site, or set different passwords and store them in a text file for easy access. But we recommend you keep your passwords diverse and store them all in a password manager.
Here’s what you need to bear in mind when changing passwords:
- For optimal security, you want long passwords with random numbers and punctuation.
- Passwords are more secure if there are no actual words in them.
- Vary your passwords for each account. Every single one of them.
- Can’t remember them all? Few could. So rely on password managers instead—that’s what they’re there for. In fact, not only can they store your logins, but they can suggest new ones, too, which would take care of all of the above.
There are plenty of password management apps and services—like LastPass, Dashlane, 1Password, Keeper, Roboform, Lookout and PasswordBox. They’re basically highly encrypted password vaults that work across different devices—whether iOS or Android, Windows or Mac. And most of these services feature password generators that can toss out different, hard-to-guess logins for every account. LastPass even has a Heartbleed checker built-in.
Note: If you’re a small business owner or running a team, you may need a more robust, collaborative password manager with administrative functions instead. In that case, something like Meldium or OneLogin may be up your alley.
You can change all of your passwords now, or only some, subtracting those services that are still vulnerable. Either way, you’ll still need to stay on top of the Heartbleed status for affected sites, so keep one or more of the tools listed above on hand. You’ll also want to keep your desktop and mobile apps updated so you always have the latest security updates.
Finally, if you haven’t done so before, activate multi-factor authentication wherever you can. It’s a secondary security protocol that usually involves sending a code or password to another device, like your smartphone, before allowing account access. On sites that offer it—including many online banking services, and email and social networks like Gmail, Twitter and Facebook—you can typically enable the feature from the settings page after you log in.
Unfortunately, even this extra layer of security isn’t foolproof. Nothing really is, though, short of shutting down our accounts and going totally offline. But even then, our information is often saved online in some way.
Although end users can’t fix this hole—it’s up to the Web’s architects to shore up the leaks in the Internet’s foundation—we can do more than just sit idly by. We can and should create more obstacles for the intruders who would exploit it.