By James Fallows
[Please see important UPDATE in a newer post, and repeated at the bottom of this post.] Most flaps about scary new Internet bugs are just typical scary Internet flaps. This latest one, the Heartbleed bug, I am taking seriously. Potentially it means that username/ password combos for the sites everyone considered secure have in fact been hacked and stolen.
[Update: Just this second, I see that Bruce Schneier has declared the bug “catastrophic.” Consider yourself warned. Schneier adds:”On the scale of 1 to 10, this is an 11.” He has no track record as an alarmist.]
Simplest way to understand the problem: one of the protocols that many sites use to protect their own security, known as OpenSSL (for Secure Socket Layers), itself has a previously unknown bug. That bug, in place for the past two years, could in theory allow an attacker to harvest large numbers of name/password info from sites believed to be perfectly safe. Because exploitation of the bug would have left no trace, no one (except a potential hacker) yet knows how many names have been taken, or from where.
A patched OpenSSL version exists and is being deployed. Until then, what should you do? Here’s a five-point checklist, followed by explanations.
- Change the passwords for the handful of sites that really matter to you. I’ll explain how you can do this in a total of ten minutes or less. This probably isn’t necessary, but just in case…
- Do not ever use the same password at two sites that matter to you. Ever. Heartbleed or not, this lowers the security level of any site with that password to the level of the sleaziest and least-secure site where you’ve ever used it.
- Use a password manager, which can generate an unlimited set of unique, “difficult” passwords and remember them for you.
- Use “two-step” sign-in processes wherever they’re available, starting with Gmail.
- Read what happened in our family three years ago, when one of our Gmail accounts was taken over by someone in Africa, if you would like a real-world demonstration of why you should take these warnings seriously. It’s from an article called “Hacked.”
That’s the action plan. Now the details.
What I am personally doing about Heartbleed, and why.
– I am changing my password for a handful of “important” sites. My finance-related sites: bank accounts, credit cards, mortgage-payment, investment accounts. The email accounts I actually use, three of them in total and all Gmail-based. Plus all social-media accounts. Even though on most of these accounts I am dormant rather than active, I’d rather not have someone take over the account and cause problems in that way. (UPDATE: In response to questions, you would need to do this again once the OpenSSL patch has been distributed. Nonetheless it seems worth doing even now, even given the possibility that a site is still vulnerable and could have the changed info intercepted, because otherwise you’re exposed to any info collected over the past two years.)
– I am abiding by the watchword of never using the same password on two accounts that matter. Whoever is in charge of security at, say, HottestCheerleadersPlusCheapMedicineFromThailand.com (not an actual site I have visited) might not know how to protect against hacks, or might even dishonestly sell its user info to hackers. They could then blindly try the combos elsewhere.
– I am making all this easy on myself by using a password manager. The one I have used and liked for several years is LastPass, which was also the top choice in this recent PC Mag review. You can read reviews of a wide range of alternatives here and here. The idea behind all of them is that they store a vast range of passwords you could not possibly remember yourself; they automatically fill them in for your sites; and they have a range of very tough security measures to protect this precious central vault. In well under 1 minute per site, I can have Last Pass generate a new, “difficult,” never-before-used password for important sites — let’s say u!YKhtAs7xQA , though that’s not a real one — and set my systems up to use that automatically.
For now I’m not getting into the conceptual question of whether one centralized site is theoretically more vulnerable than the “distributed” approach of trying to manage this all on your own. In reality, I’m convinced that it’s better, and safer than the alternative of trying to manage a who list of passwords on your own. (For instance, you can read Last Pass’s explanation of how it does encryption right on each user’s computer, not at the central site, so that even someone who got the main controls wouldn’t know your passwords.) The only password I keep in my mind is the very long password for Last Pass itself. It’s so long that it could never be cracked by brute force, much as no one will win Warren Buffett’s billion-dollar bet on the NCAA tournament. But it’s very easy for me to remember, because it’s a long passage I can reel off by heart.
— I am using two-step sign-in processes for every system that allows them, and you should too. Gmail does this, and in fact pioneered this as a free feature for mass, non-commercial users. Last Pass itself does too. How this works: In certain circumstances, logging in requires not simply your password but an extra, real-time code that is sent to or generated by your mobile phone or other device. What it means: For all practical purposes, someone cannot take over your account from afar. Since so many destructive scams and hacks are carried out remotely — from Russia, China, West Africa, Israel, the Stans, you name it — this is the easiest possible protection you can take against a very broad category of attack.
Two-step systems can be mildly inconvenient, but a lot of that has been buffed away. For instance, you can set Gmail so that it doesn’t need the second password as long as you are using your own computer or cell-phone. For more details, see this and this.
More as the story develops. The point for now: none of us can do anything about larger architectural questions of security, surveillance, vulnerability, and so on for the Internet. But along the spectrum of what that architecture makes possible, we can make ourselves less rather than more vulnerable. These steps will help.
Update: Via Bruce Schneier, it is very much worth checking out this test site, to see whether a site you deal with frequently has been repaired to avoid the SSL bug. For instance, here — fortunately — is what you would see for the Atlantic’s site:
In theory, changing a password on a not-yet-fixed site could create new vulnerability, if a hacker has just decided to start watching it today. In practice, most of the people I have checked with say it’s worth doing, because otherwise you’re exposed to anything captured within the past two years. Then, when a site becomes safe — as shown above — it certainly makes sense to change the password. For further explanation, see this follow-on post.