The Heartbleed security bug has left up to two-thirds of the internet vulnerable. The bug allows attackers to steal user names and passwords. Even popular sites like Google and Yahoo! were affected, though they’ve since patched the vulnerability.
While you can’t stop hackers from attacking websites, you can take steps to protect your information. The first line of defense is to create secure and unique passwords for every site and service you use. The problem is, how are you supposed to remember all of these passwords? The answer is with password managers.
What’s a password manager?
Password managers are programs that generate, store, and encrypt all your passwords. You’ll just need to remember one, strong master password to get into your password database.
By creating unique and randomized passwords with letters, numbers, and symbols, you’ll prevent compromising all of your accounts if your password is stolen. If your Facebook account gets hacked, the hacker can easily access your other accounts that use the same password.
Weak passwords with just letters and numbers are vulnerable to brute-force attacks. Short passwords make these types of attacks even easier.
But what if someone steals my master password?
This is highly unlikely, and password managers make it difficult for attackers to crack your master password. We spoke with Jeffrey Goldberg, Defender Against the Dark Arts (that’s really his title) at 1Password, about how the app protects master passwords. “Your 1Password data is encrypted with keys derived from your Master Password. Nobody has any access to those keys or your Master Password. If someone captures your 1Password data, they cannot decrypt it without your Master Password.”
This is the same case with LastPass. Although LastPass syncs your password database with its servers, it doesn’t send or store any encryption keys. All encryption keys are derived from your master password and stored locally on your computer or device.
“We use SSL only as a second level of protection. Our core protection is from storing keys locally,” says LastPass CEO Joe Siegrist.
Do I really need to change all my passwords?
First, check which sites you use that were affected by Heartbleed, and make sure they’ve been patched. Mashable has a great list of popular sites and their reactions to Heartbleed. Make sure a site has fixed the Heartbleed bug before you change your password, otherwise you risk having your new password exposed as well. Although there have been reports that Heartbleed may be exaggerated, there’s no harm in being just a bit paranoid.
Cloudflare, a content delivery network, proposed a challenge for people to steal private keys using a site with the Heartbleed bug. Within hours, several people were successful in exploiting the bug to steal private encryption keys, meaning the threat is very real.
“[Heartbleed] is not an exaggeration,” says Siegrist. “Cloudflare has proven that it is exploitable. It’s quite possible that usernames and passwords were taken.”
Changing passwords with a password manager is easy; the apps will remember the new passwords and store them for you. LastPass makes it even easier by alerting users which sites and accounts were vulnerable to the Heartbleed bug. They have a public website where you can type in URLs to check if they were affected. Mashable has compiled a great list of company responses to Heartbleed.
While there are no automation tools, both 1Password and Lastpass are working on this feature.
“You still have to find the password change form yourself and then let 1Password assist you with creating and saving a new strong login. Improving this process is something that we’re are always doing,” says Goldberg.
Still, a little bit of work now can prevent a big headache in the future.
What else can I do to protect myself?
Password managers are the first step you should take to protect your accounts. Be vigilant about security news and pay attention to the websites you visit.
Phishing attacks, websites made to trick users into thinking they’re another site, are a popular way to steal user data. Never click on suspicious links sent to you via email or over chat.
Password managers can help in this regard as well by taking users directly to the correct site. Sometimes, the smallest typo in a web address can take you to a phishing site, and you may not notice.
“People should try to take SSL/TLS warnings in their browsers more seriously,” says Goldberg. The lock in the URL bar in modern browsers will show which sites are legitimate and are using encryption. Most browsers will warn you if you’re visiting a dangerous site, but awareness never hurts.
You should also enable two-factor authentication on sites and services that support it. Two-factor authentication basically requires two forms of identification: a password and a randomly generated code. Once you enter your password, you’ll be required to provide a random code, which can be sent to you via SMS or via an authenticator app like Google Authenticator. The codes will only work for a small window of time before they expire.
Facebook, Google, Twitter, Evernote, and many other companies provide this extra layer of security. It may be a bit more work to get into your account, but it’s worth it to keep your accounts secure.
Finally, make sure to keep all of your computers, phones, and tablets updated. Security flaws are often patched in system and software updates.
For more information about Heartbleed and how you can protect yourself, check out our coverage below.
- Download LastPass for Windows
- Download LastPass for Mac
- Download LastPass for Windows 8
- Download LastPass for Windows Phone
- Download 1Password for Windows
- Download 1Password for Mac
- Download 1Password for iOS
- Download 1Password for Android