Heartbleed: still not sure what it is or what you need to do?

Heartbleed.svgBy now I’m sure you’ve heard about the Heartbleed security flaw that has taken over every tech blog and news source. Is it a big deal? Sort of. I mean, nothing has happened yet that we’re aware of. We’re not sure if anything will happen apart from forcing every website to do a security audit and users learning a lot more about best security practices. In other words, so far we only have a silver lining. We may find out more later but right now there is no evidence that any information was compromised. Most major websites were extremely prompt in updating their software, many even updated before this bug became public knowledge.

An analogy if you don’t understand what is happening: Someone left a door unlocked. Someone discovered that the door was unlocked and immediately notified the appropriate people. The door was then locked and even though there was no evidence that anyone used the door while it was unlocked, an announcement has been made to check your belongings just in case. Now we are reminded that we can’t always trust doors to be locked when they should be and we should have been more careful all along.

Here is what I’m recommending to my clients:

  1. Don’t panic. This isn’t the apocalypse. It’s just a wakeup call.
  2. It’s probably a good idea to change your passwords for anything you use frequently or for anything extra sensitive such as financial services. For websites that weren’t affected by the heartbleed bug, you should change your password if you use that password elsewhere. For example, Apple was not affected, but if you use your AppleID password on another site that was, there is a possibility that hackers have your password and could try that password on other services. Mashable has a great guide on which services were affected.
  3. Enable 2-factor authentication where possible. This adds extra steps when you’re logging in, but it’s extremely secure. Many services offer this option, which requires more than a password to log in. Lifehacker has a great rundown on what 2-factor authentication is and some of the most popular sites that support it. Twofactorauth.org has a more complete list.
  4. Start managing your passwords. You can do this many ways: pen and paper, iCloud Keychain, LastPass, or my favorite (which happens to be running a half-price Heartbleed sale right now): 1Password (Mac, iOS). Whatever one you choose will depend on your needs, your security requirements, and your budget. But considering how costly and painful it is to have your identity stolen, any solution is a bargain.
  5. Use a different password for every website. A software password manager will make this much easier.
  6. Keep an eye on your credit cards and bank accounts. You do this already, right? Some bank apps have an option to send you a push notification every time your card is used. If you use American Express visit this link from your iPhone to have an AmEx Passbook card added to your iPhone, which shows you your current balance and will notify you of each transaction.
  7. Read this nerdy comic for a great password idea.
  8. Read this nerdy comic if you want to understand what Heartbleed is.