True or False: The Heartbleed Bug is a Real Threat

April 11, 2014

By Gayle Carney, Principal and Owner, CCTS

Its true, Heartbleed is real.  And the likelihood that you frequent a site that has been compromised is high. So what is the Heartbleed bug? What it’s not is something you get, like a virus infection on your computer. Instead, it is security vulnerability, or bug, on many websites we often visit—like Facebook, Google, and Dropbox.  The bug can “leak data” such as usernames and passwords, credit card information, and even email messages to hackers as it is being transferred between you and web servers. Here is a list of affected sites maintained by Mashable. Although this bug has been around for the last two years, it has only come to light in the last two weeks or so.

Will the Heartbleed(ing) stop? The number of sites that still have this vulnerability is decreasing dramatically every day. Network engineers are working overtime to plug the holes in their systems. Talk to your organization’s IT support vendor about potential vulnerabilities in your systems. But once website owners fix their issues there is something each of us must do.

Change your passwords– UGH! While we can’t go back in time and recapture all the sensitive data we spewed out over the internet in the last two years, we can at least change our passwords for sites that have made the fix. I’ve noticed that the passwords many people create fall into three danger zones: ridiculously simple – of the “abc123” or “birth date” variety; strong and complex -and can’t be recalled under threat of physical harm; and one strong and memorable password – used repeatedly. Let’s use this threat as an opportunity to put a good password system in place overall.

Making good passwords and remembering them

As internet hackers get more sophisticated, it’s important to find an approach for creating and managing strong passwords that work for you– and to make time to implement them.

·       Use different passwords on different sites to reduce your “hackability” factor.  If you are compromised, you’ll limit the number of sites that could be affected.

·       Longer = stronger. Security experts say long passwords are better than complex ones.

·       Put a note on your calendar to change your passwords every few months. Force users in your organization to change passwords on a regular basis.

·       Remember to change passwords when staff exit your organization.

There are tons of suggestions for creating and managing strong passwords on the web. Here are a just a few resources:

·       How to make the best password ever

·       Create-a-Password-You-Can-Remember

·       What not to do: The ten dumbest passwords ever

My next step is to begin using one of the recognized password manager systems that are available.  It will keep all my passwords in one secure place, allow me to access them across devices, generate new passwords, and simplify my life. What will you do differently?

Gayle Carney, a resident of Baltimore City is the Principal and Owner of CCTS. She and her team are committed to helping nonprofits implement technology tools and strategies in support of their missions.