Heartbleed Bug

There has been much publicity in the last few days about the Heartbleed Bug

Heartbleed logoWhat is it?

It’s not a virus or malware that can affect your computer. Rather, it is a vulnerability in the coding used by many websites that are meant to be secure as they encrypt the data passing in and out (the web page address of supposedly secure web pages begins with https and not just http. Also, depending on your browser, you will probably see a padlock somewhere on the browser indicating that you are accessing a secure page).

The Result

The result of this vulnerability is that hackers can learn the usernames and passwords of people logging into the site as well as the content of the data passing between that user and the compromised website.

The Implications

The biggest implication that seems (rightly) to be getting most coverage is not the fact that you should change your password on sites that are known to have been hacked (such as Mumsnet), but that you should also change the password on any other logins that you have that use the same combination of username and password.

Think about it

If someone has just learned that you use a particular combination of username (that is probably also your email address) and password on one website, then they might try the same combination on other sites that you might use. They might try your bank, but I don’t think that your username and password will be enough credentials to do your online banking any harm. They could try your username and password on Amazon or they could see if you use those combinations for webmail (Gmail or Hotmail, for instance). If they can get into your email then they can try the old trick of sending emails to all your contacts, saying you’re in Spain and have been mugged and please send some money. If they’ve got into your email then that could give them access to goodness knows how much other information about you. They can then change the password on your account, locking you out.

PadlockSo, it’s not just a case of changing your password on one website when that website has been compromised by Heartbleed. To protect yourself as much as you can, you need to change that password on every account that uses it with that username. This is one very good reason why you shouldn’t use the same password on different websites. Some websites and blogs are advising that you change ALL of your online passwords, irrespective of whether you have been advised that the site may have been hacked and irrespective of whether you use the same password on many sites. Personally, I think it unrealistic to think that anyone’s going to follow that advice, but I would definitely advise my computer support clients to change all instances of any password that has been used on a site known to have been compromised by Heartbleed.

Since this bug was discovered, vulnerable sites have of course, been applying the necessary patches to close the vulnerability so, by the time you read this, it’s not likely that very many major websites will still be vulnerable. That does not mean we are all safe and can forget about it! How many sites have been attacked but the owners haven’t advised their members? How many sites have been attacked but the owners haven’t yet realised? How long before the bad guys find another, similar, vulnerability?

Like anyone else who writes – or talks – about the subject of passwords, I have always warned people not to use the same password wherever they go. I’m not going to repeat what I’ve said in previous blogs on the subject, but here are the links:

Personally, I manage passwords with a program called eWallet Go. It is available for Android, IOS, Windows, and Mac. This solution won’t suit everyone as not everyone is prepared to use The Cloud to store a datafile of passwords (encrypted, of course).

Lastpass logoAnother program that’s been around for a long time is Last Pass. This is so-called because the publishers say that your password for accessing your password data will be the “last password” that you’ll ever need. This program does other things as well – including generating strong, safe passwords for you.

If you really don’t want to commit your password information to a digital file (whether held in the cloud or not), then I do urge you to write down your passwords manually – all in the same place and where you can find them. Apart from anything else, that will make it easier to go through your passwords systematically, changing any repetitions so as to minimise the vulnerability to the Heartbleed bug and anything similar that might crop up in the future.

Here is everything you need to know about Heartbleed from the BBC and from Codenomicon (who discovered the bug).