heartbleed

The big post-Heartbleed password change

by
Screenshot of the Heartbleed web site

Following last week’s revelations about the Heartbleed bug, I spent quite a bit of time over the weekend changing passwords. Not all of them – I’ve been using this list of affected sites from Mashable – but quite a lot.

At the same time I’ve also taken the opportunity to audit other passwords from non-affected sites. I use 1Password as my password manager, on OS X, Windows and iOS, and it has a ‘Password Audit’ feature that shows weak, old and duplicated passwords. Ashamedly, I had quite a few of all three.

As a reminder, the generally accepted guidelines for strong passwords are as follows:

  1. As long as possible
  2. Using a mixture of lower and uppercase letters, numbers and special characters
  3. Are unique
  4. Avoiding any words that could appear in a dictionary

Using a password manager is therefore a very good idea, as they can usually generate strong passwords that meet those criteria, and offer to remember them for you. I tend to go for 24 character passwords like ‘3&yjGJNrE)Up2no8W:iNduYg’, to give an example of one that 1Password has just given me, and there’s no way that I could memorise that. The only passwords I have committed to memory are my 1Password Master Password, for obvious reasons, and my logins for Google, iTunes and Facebook. Whilst they satisfy the first three criteria above, they do use actual words – albeit with numbers and symbols replacing some of the letters – because these are the ones I use the most frequently. They’re still ‘strong’ according to most password meters.

Having said all of that, your passwords also have to fit within the constraints set by the web sites with which you have accounts. Whilst most of the sites I’ve been using have no problem with 24 character passwords, and are happy to accept symbols, not all of them are. Quite a few would only take passwords up to 16 characters, and others won’t accept special characters – or both. In which case, I had to make do with weaker passwords, but at least they’ll be unique.

There are, however, two web sites that were significantly worse than others. hmvdigital doesn’t let users change their password, unless you contact customer services. The worst offender, however is the Intercontinental Hotels Group, who owns the Holiday Inn and Crowne Plaza chains. If you’re in their IHG Rewards scheme – I am, and I have gold membership – then your password is a 4 digit numeric PIN. So there are only 10,000 possible password combinations, which could be cracked within minutes by an average home desktop computer. In 2014, this is horrifying, and for this reason, if you use IHG’s hotels, please don’t store your credit card details with them.

On the other hand, it’s been enlightening seeing which sites have removed my accounts for inactivity. For example, dabs.com have deleted my account, presumably because my last purchase from there was circa 2005. And other sites simply don’t exist anymore.

Stem my bleeding heart

by
Screenshot of the Heartbleed web site

If you read tech news on the internet, then you will have almost certainly come across the Heartbleed bug. As well as being probably the first programming bug to have a logo and brand name, it’s also very serious. It affects, or affected, a significant number of web sites and web services – pretty much anything that used SSL or TLS and the OpenSSL library. This will include many sites using the open source Apache and nginx web servers, which between them account for a majority of web sites.

The Heartbleed bug was in the ‘heartbeat’ component of OpenSSL, and first appeared in a code commit made at around 11pm on New Years Eve 2011 – make of that what you will. The first stable release of OpenSSL with the bug came in March 2012, and it was only fixed relatively recently. It’s therefore estimated that 17% of the world’s web sites may be affected.

If you administer a server that uses OpenSSL, then you’ll need to make sure that you update to the latest version which fixes the bug. But you may also need to revoke your SSL certificates and acquire new ones, and, if you suspect any foul play, do a full security audit. You can check your server using this tool – I’ve verified that this site was never affected.

If you’re just a regular user of the internet, then you may notice that some web sites will have forcibly logged you out. Some may also require you to change your password, and possibly re-connect any third party apps linked to your account. IFTTT emailed me to suggest changing my password, and Pocket has advised its users to do the same. Ironically, so has the web site Should I Change My Password which notifies of data breaches. If you are not already, I would suggest using a password manager such as 1Password, RoboForm, Keypass or LastPass. LastPass users can also find out if any sites they use have been affected by Heartbleed.

Some security experts have suggested that users change all of their passwords, although only once the web sites have implemented their fixes. This may not be necessary and PayPal has said they were not affected by Heartbleed. However, if you’re not using strong, unique passwords for every web site then now may be a good time to do so, regardless of whether sites have been affected or not, and the aforementioned password managers will help you in that regard. A lot of sites will now accept passwords that are more than 20 characters long, with special characters, which should be very, very difficult to crack.