17 Apr

Heartbleed – What You Need to Know

Heartbleed, what does it mean to you?  By now you may likely have heard of it.  It is a security flaw found in an application that handles secure communications on a majority of websites, so it is most likely that you have been impacted.  It is a very big deal.  Although Heartbleed has made the headlines in the last couple of weeks, it has in fact been in existence for at least two years. That means for at least two years, your private information may potentially have been fully exposed to hackers.

Even someone like myself who follows all the best practices of keeping strong passwords, has been compromised.  Only a few months ago, I discovered fraudulent charges on my credit card.  It was very puzzling considering how careful I am.  Whether it was due to Heartbleed or some other vulnerability is anyone’s guess.  Unless a vendor or vendors have told you that their respective sites are not vulnerable, you should make the assumption that the passwords on all of the online portals that you use are compromised and take immediate action to change all of them.  If you use the same passwords on a number of different websites, the passwords on the sites that were not affected may need to be changed as well.  I do realize, having to do so myself, that it is very challenging to keep track of all of your passwords, much less change them.

There are no easy answers right now with regard to password management.  New technologies like biometrics may potentially mitigate the need for passwords, but they are still evolving and are not fully proven yet in the consumer space.  There are password manager applications available that may ease the pain of trying to remember numerous passwords, but be mindful that they are primarily cloud-based, so there is a risk of your passwords being compromised should there be a breach with the password manager vendor.  You will also generally have to create and remember a master password, which will need to be very strong so no one else will be able to guess it or derive it from hacking tools.  While the file containing all your passwords may be encrypted, obtaining the master password will allow the file to be fully decrypted and viewed.  There are ways to mitigate the risk, but it is still a large exposure considering the potential damage from a compromised password file.

Unless you have been explicitly notified by your online vendor that they had the vulnerability and their site is patched, be mindful that you may need to change the password for the site again once they have fully patched their systems.  Contact the vendor if you are not sure.  As a best practice, keep a regular schedule to change your passwords.  Also be vigilant and check your bank and credit card statements often.  The one thing that is a given is that hackers will not sit on their laurels.  You can be assured that they will exploit Heartbleed, not to mention look for new and better ways to compromise your important data.