Imagine leaving your safe deposit box---filled with private information, important documents and financial information---unlocked. Sounds like a nightmare, doesn't it? This is exactly what’s happened to countless Internet users because of a security hole called Heartbleed. We want to give you a little bit of background on Heartbleed as well as provide you with tools you can use to evaluate the login credentials you use to create stronger personal and business passwords.
What is Heartbleed?
Mashable sums it up this way:
“Heartbleed is a bug in the code running on the servers of millions of websites. It leaves open a hole that allows hackers to get in and around the encryption between you and the site. This means that the information stored on the servers, and passed between you, could be stolen.”
It’s important to note that the bug was discovered by Google’s security team and a firm called Codenomicon, and it’s believed hackers haven’t known about the exploit. Think about it this way: in the example above, the safe deposit box (your personal information) was exposed, but it’s not believed that any of the information was stolen. Nonetheless, you still need to change your passwords.
What websites were affected?
OpenSSL, the software library Heartbleed occurs in, is used on an estimated 66 percent of the web, so there’s a good chance that at least a few of the websites you visit were affected, including Google/Gmail, Yahoo, Instagram, and Pinterest. According to the Heartbleed website, “Your popular social site, your company's site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL.” Here is a good website that lists many of the affected websites along with some popular websites that weren’t hit. The web browser Chrome also has an extension called Chromebleed that tells you the website you’re visiting is on the “Heartbleed hit list.”
So, how secure is your password?
Chances are, it’s not secure at all. Wordpress says it like this:
“The most common advice you’ll hear about creating a strong password today is very outdated and impractical. A password created with that advice, like jal43#Koo%a, is very easy for a computer to break and very difficult for a human to remember and type. The latest and most effective types of password attacks can attempt up to 350 billion guesses per second, and that number will no doubt increase significantly over the next few years. Creating a strong password today requires modern techniques.”
This comic underscores the idea of hard to remember/easy to guess passwords with the underlying idea that they just don’t work. So, what does work?
What does a secure password look like?
Let’s get this out of the way: there’s no failsafe password. There’s an inherent risk in using the internet, but, thankfully, there are methods you can use to protect your sensitive information that are proven to work really well. Here are two secure password “modern methods” mentioned in the Wordpress article quoted above: using a password manager and using a passphrase instead of a password.
Using a password manager:
A password manager stores your credentials for all the websites you use and helps you automatically log-in to them. Password managers encrypt your password database with a master password---that master password is the only one you have to remember. The software will automatically create unique, complex passwords (like this: N8!BmW!A8$6a23jk%sdf2354#*x4]sa+f423@) to automatically log you in, but you wonâ€™t have to remember them.
Password management software is available at all price points and with basic and advanced features. Here’s a list of password management software available---you can also Google “password management software” and find other options. (If you do this, just be sure you do your research and find a reputable company.)
Follow the instructions that come with your software to ensure you’re using it properly and keeping your sensitive information as secure as possible.
Using a passphrase:
Next to password managers, passphrases are the best way to create secure passwords. If you can’t use a password manager, you definitely need to use passphrases. A passphrase uses four unrelated words with additional characters and spaces to create a more complex, harder-to-guess password. This Wordpress article does a great job of explaining what a passphrase is and teaching you how to create one.
Just keep these three things in mind:
Mix it up. Don’t use a predictable pattern (like a sentence) for your phrase.
Don’t use your personal information, like names, addresses, phone numbers or things that could be researched online. And never use your social security number.
Don’t use published phrases. Book titles, song lyrics, funny quotes, etc. are all bad and easily guessable.
Whether you use a password manager or passphrases, follow these guidelines:
Never use a password twice.
Don’t email, text, or otherwise share your passwords.
Don’t let internet browsers “remember” your password, whether you’re on a public computer or even on your personal laptop.
Don’t write down your passwords. If you must, store them in a safe, secure place, like a safe or bank deposit box.
We know you do everything you can to help your business succeed. By taking a few extra steps to secure your password, you’ll have the peace of mind of knowing your business and personal accounts are in good hands---yours!