Lessons from Heartbleed – time to change your passwords!

Apr 9, 2014 | Uncategorized

heartbleedYou may have noticed press stories about Heartbleed, a recently discovered security vulnerability that could affect more than half the Internet. This particular vulnerability only directly affects servers running a component called OpenSSL. Moraware happens to run on Windows servers, and Windows doesn’t use OpenSSL, so we are not specifically impacted by this issue (here’s more info on Heartbleed itself).

Whew! Right? Well this isn’t an opportunity to be cocky about our good technology choices. There are new security vulnerabilities discovered every day, some more serious than others. Like all responsible IT professionals, we’re on guard every day for any new security issues that might arise.

While you might not consider yourself an “IT professional,” you should still be aware of basic steps that people in your organization need to take to protect your business from malicious attacks. As I mentioned in my post imploring you to stop running Windows XP, security is an ongoing contest, and malicious hackers are your adversaries. Securing your network isn’t something you do once and then check off your list – it’s something you address on an ongoing basis as technology evolves and new threats emerge. You’ll never have “perfect” security – but the less you do to protect yourself, the more likely you are to have problems.

So even though Moraware wasn’t directly affected, other sites you use probably were affected by Heartbleed. I don’t want bad things happening to our customers, so here’s the basic step I recommend that you take to address the ongoing risk of this type of vulnerability:

Stop using the same password for more than one website or program.

That sounds so simple, yet it’s so annoying, I know … I can barely remember the names of all my cousins … there’s no way I can remember a different password for each site I visit. Well, I’m going to tell you how to address that in a moment, but first, here’s why it matters.

Let’s say a major retailer gets hacked and thieves get all their user id’s and passwords – not even credit card numbers in this hypothetical example, just id’s and passwords. The first thing the retailer would do is invalidate all the passwords and notify their users to login with a one-time key and change them. Problem solved, right?

Well … what if – like millions of other people – you use the same email address and password at a hundred other sites? If you were the thief, wouldn’t you try logging into other sites – especially ones that store credit cards – and see if your stolen credentials work there, too? Well, that’s exactly what the thieves do. They even write programs to automate the process (going as slowly as possible to avoid detection).

Or maybe they’ll just log into your twitter or facebook account using that email address/password and spam all your friends – every wonder how that happened to Joe or Mary or your mom? Now you know one way that social network accounts get compromised.

It’s even worse if you reuse the password FOR YOUR EMAIL account on other sites. If you have ever done that, then please change your email password right now. Email is often used to help you recover your other passwords, so if you lose control of your email account, it can be very messy to clean up. NEVER reuse your email password.

(NOTE: this is not the same as using Google login, Facebook login, LiveID, etc. on another site. Although it’s a tad confusing, those types of solutions that reuse logins appropriately probably help the security of the Internet overall)

So … given that it’s not realistic for most people to remember more than a handful of good passwords, how do you use a different password for every site? The key is to use a password manager. A password manager is an application or a website where you store all your passwords. Some popular choices include LastPass, 1Password, and PassPack. The latest Lenovo laptop I purchased came with a password manager built into it, but I use PassPack myself. All of these tools are a bit geekier than they need to be, unfortunately, but try to muscle past that. Just pick one that makes sense to you and start using it.

A consequence of using a password manager is that you essentially have a “master key” – so you want to choose the best password you can remember for the password manager itself. In addition, most of these tools use an additional “encryption key” (I told you they were geeky). An encryption key is usually a phrase that’s longer than 20 characters but with an extra character thrown in to make it even less guessable (something like “I told you~they were geeky” would be a good choice). My login/password to PassPack retrieves my data. My encryption key makes it so only I can use that data. If I lose my encryption key, PassPack has no way to recover it for me – which means thieves can’t do anything with my password data even if they penetrated PassPack (assuming I chose an adequately long key).

I let PassPack make up a password for every new site that I log into. For example, I just added an imaginary new site and asked PassPack to suggest a password – it returned qLzmjZSG6Zlt. That’s a good, strong password that won’t be easily guessed by “dictionary” attacks (that look for commonly used words in passwords) or most “brute force” attacks (that cycle through combinations of characters).

That means I don’t even know what my password is for most sites that I use – for example, I have no idea what my password is for our internal Moraware site, because I just copy it from PassPack each day. This adds a tiny amount of overhead to my day, but it means that I use a different, strong password for every site I visit. Once you get used to copy-and-pasting your passwords instead of typing them, it’s easy. I strongly recommend you adopt the habit of using a password manager – and I would encourage your employees to do the same.

Back to Heartbleed … TO MAKE THINGS EVEN MORE CONFUSING, some security experts are recommending that you avoid changing any passwords until you receive notice from a website that they’ve fixed any issues with OpenSSL. Personally, I think that’s splitting hairs. If you intend to make one new password that you use for every site, then yes, you’d probably be better off waiting. And yes, the “safest” thing you can do is simply avoid using the Internet, but that’s not realistic. I’d rather have you implement a password manager and change all your passwords to unique passwords – and then it’s just no big deal any time you need to change one because you’ll have a good system in place.

Again – security is never “done” … it’s something you keep working on and improving. Ideally, you do enough to prevent an incident – because it really stinks to clean this stuff up AFTER your business is compromised.

A quick update on the XP issue (XP officially reached end of life yesterday) – unfortunately, it appears that some equipment manufacturers still support or require Windows XP (or even earlier versions of Windows!) This is not good business. If you have a vendor that requires Windows XP for a version of their product that’s still under warranty, I would ask them how they plan to support a product that Microsoft no longer does. (NOTE that Windows XP Embedded is a separate product that is still supported by Microsoft until January 2016.) We’ll keep you posted on this issue as we learn more.