What to do about Heartbleed
I could write an extremely long post about the OpenSSL security flaw known as Heartbleed, but I won't. Instead I am going to make it very simple for people who really don't care about the details but want to know what they need to do about it. Here are a few easy steps for you to follow:
- Identify all of the websites or online accounts (even the ones you only access from an app on your phone or tablet) that contain information you want to protect...I know, that's like ALL of them. These are all accounts that you will eventually need to change your passwords on.
- Start going down that list (starting with your most critical account 1st like your bank accounts) and test each site to see if it is still vulnerable. You can cut and past the secure URL from the site into a tool like this one and it will tell you whether the site is vulnerable. Keep in mind, this tool doesn't tell you if the site ever had the security flaw or not. You won't know that unless the company or organization behind the site tells you so. Don't rely on them to do this. Assume all of the sites you have accounts on were vulnerable at one time and use this tool to check if it is safe to access the site now.
- This is the most important step!!! Do some digging on the website in question. Look to see if they have a blog or a news or announcements page. Check their Support or FAQ pages. You are looking to see if they have posted something about whether they had to patch their site or not. Why is this important? Because sometimes even though they have patched the site and the tool in step 2 says the site is secure it still may not be safe to reset your password. For example, one of my banks has patched their site but they are still in the process of updating their mobile apps. Until they complete the patches with the mobile apps they can't completely fix all of the vulnerabilities to their system. So if you were to change your password before everything is patched you are potentially giving the bad guys another opportunity to steal your data. Many websites/companies are not going to tell you if they were or were or were not vulnerable, but for those that do... pay attention to what they are saying. Wait until they are completely done patching their system before changing your password.
- If step 2 above shows the site is secure and you don't find any information in step 3 that says they are still patching the website then go ahead and change your password on that site.
- Repeat for all of the websites or online accounts you identified in step 1.
I use a software package called 1Password to store all of my passwords. What I have done is I have gone through every single password I have in that tool and identified all of the accounts that I am concerned about someone getting a hold of information from. I created a folder within 1Password called "Critical Unpatched". These are all of the passwords that I know I eventually need to change. I will now start going through that list within the next several days (starting with my bank accounts and credit cards accounts 1st) and following steps 1-5 above. Each time I am able to change a password to one of the sites I put in this folder I then remove it from the folder so I know I no longer need to change the password to that account. You can do something similar with just about any kind of password system you may have (even if you write your passwords on a sticky note...please tell me you don't store your passwords on a sticky note!).
I hope that helped. There is a lot of buzz about this security flaw out there. This one appears to be pretty serious so you really should follow the steps I outlined above and protect yourself.