The Heartbleed bug first made public earlier this summer is pretty nasty news, possibly the biggest security story of the year. People in the tech community seem to be on top of things. Though, when I speak to my less tech savvy friends and family, I find that they seem fairly unconcerned. Some of them have taken the tactic of this is simply the “new normal” and the cost/benefit of constant vigilance is simply not worth it. Others seem to adopt the approach that the “odds are it won’t impact them” and until they see evidence to the contrary there’s no need to take action. One friend told me “what’s the worst thing that can happen, they take money out of my account and I just contest the charge, right?”
I get it. Seems every other week we geeks are telling our friends and family about some other dire vulnerability they have to pay attention to. It’s exhausting. So the question is, how can people start making changes in their everyday practices to be more secure without letting security concerns take over their entire life? Here are a couple steps I’ve taken and encourage my friends and family to take. I’m listing these in order of importance, so if you can only get your friends and family on board with a few, start at the top of the list.
1) Get Your Passwords Under Control.
Seriously, we must stop rotating the same passwords across all our sites. We’ve all been guilty of it at one time. Using the same password, or the same few passwords across all our various sites and services. Most people have a standard password they use for most things, maybe another “more secure password” then a couple different variations on the password. My brother and I joked as kids that if not for our parents poor password habits we would never have access to all their accounts. (Of course, we would never do such things now - the statute of limitations on past transgressions has long since run!).
The problem with using the same or similar passwords is if one site is compromised, then multiple services are ripe to be compromised as attackers will take your login credentials and start trying them on other services. Using strong unique passwords for all your accounts is the single best thing you can do to increase security. I’m a big fan of 1Password (full disclosure, they’re a long time sponsor of Mac Power Users) but there are other options including LastPass. In light of the Heartbreak bug, Don McAllister of ScreenCastsOnlinemade his 1Password 4 Tutorial free and it will walk you through getting setup and using the program. I’ve bought a family license to 1Password for my family and sent them Don’s tutorial.
If you can convince your loved ones to do nothing else, get them to change the way they think about passwords.
2) Change “Mission Critical” Passwords.
Even if you start using a password manager today, that probably doesn’t make up for your past bad habits. The first thing to do is start going through your most critical passwords and services and changing them now to randomly generated, long, unique passwords. I call these your “mission critical” passwords and they would include financial institutions, email accounts, your AppleID, and file sharing and storage services. Basically, any site that has access to your personal data, financial information, or access to debit your credit card or bank account would fall in this category.
Furthermore, I suggest you get in the habit of regularly changing these passwords regardless of a breach. In 1Password I’ve created a custom tag called “Red Alert” for any site that falls in this category, and I make a note to change these passwords twice a year, or more often in the case of any security breach. (My friend David Sparks suggests you do this when the clocks change).) Regardless of your preference, pick a time, at least once, preferably twice, a year and go through and systematically change them. The process will take less than 30 minutes.
3) Setup Two-Factor Authentication.
For the services that offer it, setup two-factor authentication. Two-factor authentication means that in order to access your sites, you’ll need to know something (your password) but you’ll also need to have something, typically your mobile phone. The implementation of two-factor authentication varies from service-to-service, but usually you require your authentication key every time you try to log in from a different computer, or every 30 days. This means if someone compromises your password they’ll also be prompted to enter a unique code, usually generated by or sent to your cell phone, to log into your account.
In a hypothetical scenario, let’s say a bad guy has managed to compromise my password to a particular service. Maybe through a security breach, social engineering or other means. When that person goes to log into an account using my username and password they’ll now be prompted for a security code that is generally sent to my cell phone by text message or accessed by an App on my phone. Now, said villain’s compromised passwords are useless unless he also has my cell phone.
Google has an Authenticator App that works with several services for retrieving authentication keys. Two-factor authentication is available for many services including Google, Dropbox, Evernote, PayPal, and to a limited extent your AppleID. If you want to learn more about how two-factor authentication works, Google has created a video walking through the process. There’s also a ScreenCastsOnline episode SCOM0417 all about two factor authentication, walking you through setting up many of the popular services
4) Change Passwords For Any Compromised Sites.
It seems every day we’re hearing of a site that has been exploited. Mashable is keeping a hit-list of notable sites and whether they were impacted by the Heartbleed vulnerability. It should be noted this is by no means a comprehensive list, but it lists the more popular sites. If you use a site that is on this list, was known to be vulnerable, and has patched the vulnerability, time to change your passwords. Note that in the case of Google, if you use two-factor authentication you’ll also need to revoke and re-issue any application specific passwords. If you use Dropbox or a similar service, you’ll want to unlink your devices and log back in again with your new credentials. In response to vulnerabilities like Heartbleed, 1Password has introduced a new feature called “Watchtower” that is built into the application. Watchtower is a regularly updated database of compromised sites. It compares this list with your passwords and then check the date your passwords were last changed (whether before or after the venerability) to let you know whether your password needs to be updated.
5) Start Changing The Rest of Your Passwords.
If you’ve been lax in your password policies in the past, the idea of going back and changing all your old passwords to new, randomly generated, secure, unique passwords can seem overwhelming. So, take it one step a time. I’m fond of the saying “stop digging the hole”. If you find yourself in a mess, sometimes the best thing you can do is just stop digging any deeper and slowly start working your way out. That’s usually the best approach to tackling your passwords, otherwise the task can be overwhelming and you’ll eventually give up.
After you’ve changed all your “mission critical” passwords (see step 2) and the password to sites we know were vulnerable to Heartbleed or other security breaches (see step 4) you can take a breather, but keep moving forward working on everything else. I suggest that as you come across a web site or service, take a moment and change your password. I’m not being particularly proactive about this, simply as I log into a service, I’m resetting my password and updating the password in 1Password. Over the course of a day you probably interact with a dozen different sites and services, so in the first week you should hit most sites you regularly interact with. After a month, you’ll probably hit 80 - 90% of all the sites and services you actively use. That’s huge.
This article first appeared in the May Issue of ScreencastsOnline Monthly Magazine. ScreenCastsOnline monthly magazine is packed with hints, tips, articles and links to streamable versions of ScreenCastsOnline tutorials and delivered monthly via Newsstand on the iPad. You can find out more at http://www.screencastsonline.com/magazine/