What ‘Heartbleed’ Can Teach Us All About Internet Security

If you’re reading this post, you’re probably a victim of the ‘Heartbleed’ bug. You may not know it yet, and it may never have any negative repercussions for you personally– but, that doesn’t mean you were able to escape the security issue’s reach. 

According to a list published by Mashable, Facebook, Instagram, Pinterest, Tumblr, Gmail, Yahoo, etc, have all been impacted, or potentially impacted, by the OpenSSL encryption flaw we lovingly refer to as ‘Heartbleed’. If you use any of these services (likely you do), my best advice is to make sure that the site has updated their servers with a security patch before changing passwords, otherwise you’ll just need to change them again when they finally do.

For as internet savvy as I am (or believe to be), I myself am guilty of one of the fundamental no-no’s online: using the same password for multiple logins. While I do have a variety of passwords I use (3, to be exact), instead of just creating more, I basically bucketed sites into groups to share passwords on; in a list I refer to as “How Much Do I Care If This is Hacked?”. An order of importance, if you will. For example, obviously I don’t want my banking or Gmail or Twitter accounts hacked, but Tumblr? Not very important.

Clearly, this logic as as flawed as OpenSSL was. And as soon as I realized the implications of this security mishap, I quickly changed my passwords across the board. But, is that really enough?

‘Heartbleed’ is a rare occurrence. Sites individually are hacked all the time, but for something this major to effect this many sites simultaneously isn’t something that happens every day (fortunately). Still, better to be safe in the future than sorry, and there are some very basic things you can do to prevent a disaster.

  • If a website you use often offers two-step authentication, then by all means use it! It may be slightly inconvenient, but the likelihood of someone cloning/stealing your phone AND knowing your passwords is much lower than only having one of those things. For people with hosting & domain name accounts, this should be an absolute must.
  • For WordPress owners, two-factor authentication is even more critical, as WordPress powers a large portion of the interwebs, and therefore, is even more vulnerable to attacks. Personally, I use a combination of two-step auth with Duo (which utilizes an iOS app to authorize logins) and BruteProtect to monitor against large-scale attacks.
  • If your favorite site doesn’t offer two-step auth, at the very least, mix up your passwords– and, by all means, don’t store them in any online files that are prone to attack.

Are there any other tips you have for helping to maintain online security?

3 Pingbacks/Trackbacks