This is a recap of the Heartbleed bug issue. I have reviewed this issue over the past several weeks since it was disclosed, and I would like to take this opportunity to refine my message to clients, friends and followers in Social Media.
Initially, the risk associated with the “Heartbleed” vulnerability was widely overestimated in the media, but it is real, and the threat became more acute when the information about it went public while so many sites had the vulnerability.
As I understand it, the remediation process is mostly complete, but with some of the more extensive sites (meaning complex with many users, products, processes and connections), still not having patched the vulnerability.
Here is what I can say:
We will call the sites that you use most regularly, and for your most important stuff, i.e. banking, credit and investment, your “Class A” sites. You should look for statements about the Heartbleed vulnerability on your Class A websites, and follow their recommendation exactly and right away.
We will call the sites that you shop at most regularly your “Class B” sites. These might be Amazon.com, Walmart.com, Sears.com etc. If you use any of them for significant purchases, or if you maintain current credit card information at any of them, you should do the same for them as you do for Class A sites. You might want to check receipts for things that you have purchased in the last six months to help identify these sites.
If you use an online email service, such as Gmail, Yahoo mail, Hotmail, Microsoft Outlook.com, or anything like that, and you use that email account as the “password recovery” email address for a Class A or Class B site, then you should check your email service provider’s statement about Heartbleed, and follow their recommendations exactly. Do this even if you use a desktop software program like Microsoft Outlook or Windows Mail to manage your email. If the email service has a web portal, you must pay attention to Heartbleed.
In addition to these sites, if you have a Smartphone, and the smartphone comes with an associated account with Apple iCloud, Google Plus for Android, or Microsoft Outlook.com or Office 365, include those account credentials in the Webmail category and treat them accordingly in the same way.
Finally, you should be absolutely sure that none of the passwords that you use for these sites, Class A, Class B and Webmail, are the same. Make sure that they are all strong and different.
I have recommended that you consider using a password manager such as LastPass to manage these passwords. We, however, understand that many of our friends and acquaintances will find LastPass difficult to use because while we are fairly expert, there are areas where we have struggled using LastPass. We have had to learn some special techniques that are part of the design of LastPass to deal with the various ways in which it sometimes fails to capture or incorrectly captures site information. If for you, the number of these sites that I have described above is fewer than 20 or 30, then you may be able to maintain a manual list of your passwords, either on paper or in an electronic text file. Remember that the existence of such a list is a security vulnerability in and of itself, and also, every time you change a password you must update your list.
We still strongly recommend that you adopt a password manager, and allot the requisite time and patience to become adept enough at using it that you don't get either locked out of your accounts, or get into a panic.
I think that this is the simplest message that I can give about password maintenance, and it is consistent with the best advice out there for creating and maintaining passwords. A day will come when we no longer will need passwords, but until then, we must be as wary as a jeweler walking the streets of Manhattan.