What is heartbleed?
It has been a couple weeks since the heartbleed bug was announced and so far the world hasn’t ended. This post has been a long time coming. I have intended on writing it since the vulnerability was announced but unfortunately, life kind of got in the way and it has taken me this long to sit down and get it written. I wanted to write something that I could send to my friends that broke down what the issue was and how it affected them.
What the heartbleed bug did was open a hole in the handshake that happened between 2 computers when they were trying to make a secure connection that allowed the requesting computer to pull data from the information that was stored in-memory on the target server. This information could be anything from data that had previously been sent back like a web page, user names and passwords from users that had recently logged in, or in another scary case, credit card or banking information from someone that had recently made a purchase. The worst part is that there is no way for the administrator of the target server to determine if a hacker had exploited the heartbleed bug. The other scary part is that it was around for roughly two years before it was discovered and it was deployed on roughly 66% of the servers on the internet.
So what should you do?
First, don’t panic. Even though the heartbleed bug has been around for roughly two years, there hasn’t seemed to be widespread exploitation of the vulnerability.
Second, don’t change your passwords just yet. You need to make sure the servers hosting the accounts have either been patched or were never open to the vulnerability. These two sites have a pretty comprehensive list of sites and their status: CNET & Mashable. If the site you want to look up is not listed in that list. The popular password tool LastPass has published a website checker that will allow you to enter the domain name of the site in question and let you know if it has been patched.
Third, once you have checked your sites and verified that they have either been patched or not vulnerable at all, now you can change your password. Here’s where it gets tricky…you really shouldn’t be using the same password on all your accounts…now is the perfect time to make them all different…seriously stop laughing…I’m not joking. You really do need to have different passwords on each of your accounts.
OK, so how do I have different passwords for each account?
First, go download Google Chrome and set it as your default browser.
Second, download this Google Chrome Extension. The beauty of this extension is two-fold, it generates a password for you on the fly based on the URL you enter and a master password (which can be the same for all accounts) and will generate a consistent password that you can look up each time you need it. There is a setting that you can set that will allow you to not store your master password which I would recommend. By not storing the master password you can ensure that it can’t be stolen. Everything is done in the browser so your password is not sent over the internet for someone to sniff either.