Computer CPR: How to respond to the Internet’s Heartbleed security hole

April 12, 2014

By Matthew E. Milliken
April 12, 2014

The other day, I spent about an hour updating several of my Internet passwords. The spur for this, in case you didn’t know — and if you didn’t, you really should — is Heartbleed, the gaping flaw in World Wide Web security protocols that may have given snoopers access to supposedly secure passwords and other information over the last two years.

It’s not yet been determined whether anyone actually exploited the vulnerability in the OpenSSL code, which perhaps half a million websites used. (Another article estimates that this code is used on perhaps two-thirds of Internet servers. SSL, by the way, stands for secure sockets layer.) Samantha Murphy Kelly reported Wednesday that there’s no indication that hackers were aware of the bug before it was announced at the beginning of the week, and on Friday, the National Security Agency denied that it had either known about or used the flaw.

Still, in the wake of these revelations, Internet users have been advised to change their passwords. There are a couple of wrinkles, however. One is that if a site you use has been compromised, a password change won’t make a web account more secure unless that website has patched the vulnerability.

There are workarounds, of course. On Thursday, Mashable compiled a table listing popular sites and whether or not a password change was advisable. Also, Internet denizens can go here and enter specific web addresses to see if those pages have been affected.

The other complication with changing all one’s passwords — beyond the sheer time involved for any person with more than a handful of Internet accounts, of course — is the difficulty most anyone has in keeping track of all the different passwords. (You are using different passwords for your various accounts, right? Good.)

After some years of holding out, I gave up on relying solely on my brain to retain all my different security phrases. Instead, I turned to LastPass, which offers extensions for most popular browsers.

Logging in to LastPass gives a user access to all the passwords he or she has stored with the service. When it’s active on a given computer, LastPass can even automatically post the user’s name and password to speed the login process. The program can detect when a user is setting a new password, and it can suggest hard-to-break passwords. (Note that it’s important to keep LastPass updated whenever the user opens a new account or changes a password; otherwise, of course, the program becomes much less useful.)

I use LastPass’s free level of service, meaning that my database of encrypted passwords is only available when I’m using my laptop. The premium level enables users to access their passwords through LastPass smartphone and tablet apps, among other benefits. (The additional features are available for what I’d call a modest annual charge of $12.)

There are some alternative programs on the market, which you can find described here; notable among them are 1Password, KeePass, Dashlane and oneSafe. (Some of these services require payment; others don’t.) On Friday, Slate tech blogger Lily Hay Newman described her experiences as a satisfied 1Password user in this post, which gives a good overview of the password manager software “genre.” Last fall, Katherine Stevenson compared LastPass and KeePass and ended up affirming her opinion that the latter service is superior.

I should note that, rather ironically, LastPass, a company that is focused on security, has had at least two unfortunate episodes regarding the integrity of its data. It turns out that the outfit used the vulnerable version of OpenSSL. However, LastPass claims — and no one to my knowledge has disputed — that its service could not be exploited because the software encodes data using an encryption key that isn’t available to the company’s servers before transmitting information through the web.

About three years ago, the company came to believe that its servers might have been hacked. A Whitson Gordon post published on Lifehacker the week before Heartbleed came to light praises LastPass for its reaction to the possible breach.

Look: There’s no such thing as perfect security. I feel pretty good about the password manager I use. If you’re keeping your software up to date, using hard-to-crack passwords, updating your potentially compromised passwords where applicable and otherwise behaving in security-conscious ways, you’re probably about as safe as an Internet user can be.

Try to stay current, and remember the immortal words of Sgt. Phil Esterhaus: “Hey, let’s be careful out there.”


Author’s note: As stated above, I use LastPass’s free service; I have received no compensation from the company either for using its service or for writing this blog post, and the company hasn’t communicated with me in any way to encourage me to write this post. To read my standing disclaimers about this blog, please see this post.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: