What to do about Heartbleed

Ryan Wilsey 12 Apr, 2014 at 1:50pm ET Article published in Tech

What Google Authenticator looks like on Android

It has recently come to light that there was a critical flaw in internet security known as the “Heartbleed Bug”. Most people will want to take steps to protect their various online accounts from this flaw, and that generally means giving yourself a password and security audit. Here are some steps to take that will help protect your accounts from this flaw.

First steps

Change the passwords on your important accounts

These include your bank(s), social media accounts, and most importantly your personal email account. Use a unique password for each. Hackers know most people use one or two passwords, and once they get one right it’s all over. Currently it’s best to use a long phrase of semi-random words for your password, like “MonsterBatteriesJumpShip”. They’re fun to make, easy to remember, and hard to hack. Tip: use this site to see just how secure your password is.

Monitor your accounts for suspicious activity

Check to make sure there aren’t unauthorized transactions on your credit cards, mysterious withdrawals from your bank, spam sent to people in your email contacts, or posts made to Twitter or Facebook that you didn’t make. The sooner you catch something, the better off you’ll be to correct them when you contact customer support.

The second factor

Many internet sites now offer what is called “two factor authentication” or “two step verification”. In a nutshell, if you enable it, you’ll need both your password and your mobile phone to sign in. This is more secure than having just a single password.
We published a guide on enabling two factor authentication in Google. Other services also use two-factor authentication and many of them support the Google Authenticator app so that you can have all of your second factor passwords in one place.

Two factor authentication is probably the biggest step you can take to protect your data, because if a bad guy gets into your email, they can then use the “forgot my password” feature to reset the passwords on your other accounts and then wreak havoc.

Comments

12 Apr 2014 ~ 8:56pm Straight_Man
Thanks, Bandrick! This security review type thing is a good idea to do every so often, routinely, these days.
12 Apr 2014 ~ 11:23pm ardichoke
Useful password tools:

KeePass - Easy to use, extensible password database. Just make sure you back your password database up in a secure fashion (I suggest SpiderOak, which has the convenient ability to also sync your database to your other devices)

LastPass - Like KeePass, but in the cloud. Has added risk because it's cloudified, but does offer 2-factor authentication which is nice.

1Password - Similar to LastPass, not personally familiar with it, but I know many people swear by it.

If you don't really really REALLY HAVE to be able to log into an account from memory (and let's be honest, most people don't need to for 99% of the sites they have accounts at), then you should be using one of the above to generate very long, completely random passwords. Just make sure you use a solid, secure password to secure your database. Also, 2-factor.
13 Apr 2014 ~ 8:53pm CB
Last time I looked into using a password keeper, it didn't look any easier or more intuitive than just keeping a password-protected spreadsheet o' passwords. Have they come along since then?
13 Apr 2014 ~ 9:21pm Straight_Man
Keepass gens passwords, so if a site lets you, you can copy-paste gened random and long complex passwords in to a password changer form on site.

McAfee sent me an email aboout Heartbleed, and they said to change passwords often.

EDIT: Keepass is pretty intuitive also.
13 Apr 2014 ~ 9:32pm BobbyDigi
+1 for keypass. I don't even know the passwords to my accounts. Doubleclick to copy and then paste the u/p and logged on I go.
13 Apr 2014 ~ 9:47pm primesuspect
The problem I have with non-memorizable passwords (the kind that Lastpass generates that look like Z3jf0fgk89SDjm3m, etc.) is that I feel like not having ultimate control over important passwords is unsettling... I NEED to be able to memorize my passwords for my own peace of mind. Ultimately, I want the keys to the kingdom to be in my head, not saved in some encrypted database that I may lose access to one day.
13 Apr 2014 ~ 10:34pm Tushon
You can choose to use the "make pronounceable" option in LastPass (under advanced options when generating a password), but good luck memorizing unique passwords for every site.
13 Apr 2014 ~ 11:07pm Myrmidon
@Annes the only trouble with that XKCD comic is the use of dictionaries and brute force crackers - if someone manages to steal a hashed password list, they'll use a list of well-known words (and substitutions!) to try and match the hash.

To stop dictionaries, add a symbol or two. And put it in a weird spot... ie Ba*tery is better than B@ttery, because some dictionaries will have additional words in 1337speak... and nobody substitutes a * for a t in 1337speak.
13 Apr 2014 ~ 11:08pm primesuspect
So far, I've been able to do it all these years.
13 Apr 2014 ~ 11:30pm Annes
Can't we all just use easy-to-remember passphrases? Is this XKCD wrong? (not sarcasm, legitimate question.)
14 Apr 2014 ~ 12:39am Tushon
You can, but there is the issue of the password security policy allowing that (length, spaces, non-numbers, etc) and you still need lots of different combos. I'm bad at remembering them, so I just trust the strong one for LastPass and let it fill in everything else.
14 Apr 2014 ~ 3:24am ardichoke

@primesuspect said:
The problem I have with non-memorizable passwords (the kind that Lastpass generates that look like Z3jf0fgk89SDjm3m, etc.) is that I feel like not having ultimate control over important passwords is unsettling... I NEED to be able to memorize my passwords for my own peace of mind. Ultimately, I want the keys to the kingdom to be in my head, not saved in some encrypted database that I may lose access to one day.

I struggled with the same feelings... then I realized if I just memorized solid, unique passwords for a couple of key services, I could always just password reset everything else in the event of a complete database loss (also, solid backup practices makes the likelihood of even having that happen almost nil)
14 Apr 2014 ~ 9:39am Snarkasm
Benefit to Keepass as well: if something catastrophic like heartbleed occurs, I have a discrete list of all the sites I have passwords on, and it's easy to go down the list and update them all. If I had to do it from memory, I might forget one of my credit card companies, or something along those lines. Yes, you won't forget the highest-volume stuff you use all the time, but those aren't the only ones that lose data, either.

Overall, I only remember two passwords now: the one to my Dropbox account, and the one to my keepass archive. (The archive is in Dropbox, so I can sync it to all my devices; that's the only reason I have to remember that one, too.) It's a little inconvenient, but at the same time, a lot more convenient and feels safer.
14 Apr 2014 ~ 3:07pm Soda
I'll throw my hat in with 1Password. It does some REALLY cool stuff, like registering sites or even offline normal applications so that you can just click to automatically fill in user/pass (no copy/paste required!). Additionally, you can keep the whole thing off the cloud if you want, using a flash drive or something to share between computers, or keep it shared through dropbox/google drive.

@Annes said:
Can't we all just use easy-to-remember passphrases? Is this XKCD wrong? (not sarcasm, legitimate question.)

Unfortunately, this idea started to take root a bit (not sure if anyone remembers amazon offering this as a password option), but hackers soon started making dictionary attacks a part of their arsenal, drastically reducing the strength of this idea, which made the extra database space required not really worth it (a 15 character password is roughly the same strength as a 5 word passphrase).
14 Apr 2014 ~ 4:18pm ardichoke

@Soda said:
Unfortunately, this idea started to take root a bit (not sure if anyone remembers amazon offering this as a password option), but hackers soon started making dictionary attacks a part of their arsenal, drastically reducing the strength of this idea, which made the extra database space required not really worth it (a 15 character password is roughly the same strength as a 5 word passphrase).

There really isn't any extra database space required for a longer password, at least if the site is storing their passwords correctly. This is because sites do not store your password in a retrievable format, except in very rare cases where they need to or if they're storing passwords improperly. Most sites out there store passwords in a cryptographically hashed format. The layman's overview of what this means is that the site takes your password, scrambles it all up in a reproducable, but not reversable, way which yields a string of data that is always the same size. They then store this hashed string. When you try and log in, they run the password you type in through the same hash function again and compare the result to the string in their database. If it matches, you input the right password and they let you in. This has the added benefit of making the size of the password field in a database a known quantity, no matter how long the users password is. "But @ardichoke‌," you may be saying "doesn't that mean that my super long password is meaningless?" Not really. The likelihood of getting a hash collision (where two different passwords yield the same cryptographic hash) with modern algorithms is extremely low. In most cases, an attacker is more likely to guess your correct password than find another one that yields the same hash. The benefit of storing passwords this way is that should the database be leaked, the passwords are not directly retrievable. The attacker basically has to start computing hashes for random passwords until they find one that matches a hash in the database, at which point they have the password for that particular user. This buys users time to change their passwords after a security breach.

As for the concerns about a dictionary attack, lets look at some math. The number of possible passwords from a set of data can be easily calculated. In the case of an old style password made of upper and lowercase letters and numbers, you end up with 62 options per character in the password. If you have a 12 character password, this means there are roughly 3.22x10^21 possible passwords you could have. (62^12, as there are 62 options for each of the characters in the password, so the number of permutations is 62x62x62... 12 times.)

Now then, consider a password based off of random words. The Oxford English Dictionary contains entries for 171,476 words currently in use today. Lets assume that about 3/4 of them are unsuitable for use in a password (too long, words you won't remember, etc.). That leaves is with 42,869 words remaining. Assuming that you chose 5 words from this set for your password, there are roughly 1.44x10^23 combinations (note, this is 100 times more options than the above example). This is assuming that you use the bare words, make no substitutions and don't capitalize anything. Once you start substituting numbers (or symbols) for letters, and capitalizing letters in words, the complexity EVEN IF AN ATTACKER IS WORKING FROM A DICTIONARY increases dramatically. Furthermore, your password is now much easier for you to remember, because you only have to remember 5 words as opposed to 12 random letters and numbers.

Of course, this is just one example using rough math, but I believe it adequately demonstrates how using random word based passwords makes it much harder for a machine to guess your password while making it easier for a human to remember it. Well, adequately for an Internet forum anyway, obviously it would require more rigor to demonstrate it to a panel of CS professors.
14 Apr 2014 ~ 5:10pm Thrax
I typically see people say "BUT DICTIONARY ATTACK" on sentence-based passwords, but even a casual observer can see how absurdly complicated it would be for a computer to try every word in every combination for an unknown length.
14 Apr 2014 ~ 5:13pm Soda
oh LOL, forgot about hashing somehow, derp, which for any remotely secure hashing size makes the collision chance irrelevantly small. I DID realized that I was thinking about it COMPLETELY wrong though, since I was considering only dictionary words in the phrase, but considering any combination of letters for the single word. While it is definitely easier to remember lots of random character changes when it's just one word as opposed to several, that's not enough to get remotely close to the numbers I came up with, so you're definitely right.
14 Apr 2014 ~ 5:14pm ardichoke

@Thrax said:
I typically see people say "BUT DICTIONARY ATTACK" on sentence-based passwords, but even a casual observer can see how absurdly complicated it would be for a computer to try every word in every combination for an unknown length.

The dictionary attack argument also ignores the fact that there are also dictionaries out there for commonly used traditional passwords (and their various permutations). Dictionary in the password cracking sense doesn't mean what people think it means.
14 Apr 2014 ~ 5:14pm d3k0y
YeOldeFatWomanHorse

Gonna make this my new password
14 Apr 2014 ~ 5:16pm ardichoke
HonorificabilitudinitaAntidisestablishmentarianismFloccinaucinihilipipificationPraetertranssubstantiationalistically

Most secure password ever (until right now)