By now, you are probably aware of the Heartbleed Bug. There are many people who have heard about it, but don’t understand what it is.
This is the simple explanation from Codenomicon, “The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”
The recommendation for computer users is for them to change their passwords for systems that are known to be patched for the Heartbleed bug, since attackers may have stolen them from vulnerable systems. Here’s a dynamic list of common sites and their status.
This next step of changing passwords points to another vulnerability, people. Many computer users don’t know how to build and remember strong passwords and they also tend use the same weak password across all of their applications.
Cybercriminals who have known about the Heartbleed bug for some time have had the opportunity to steal many passwords. Since many people use the same password across many applications, the cybercriminals can take the passwords they’ve already collected (before the bug was identified) and break into numerous accounts for each computer user, from their facebook page, to their email, to their bank account. As the saying goes, “the world is their oyster.”
Now that the bug has been identified the responsibility is on the everyday computer user to create new passwords for all of these compromised, now patched, systems. Wouldn’t it be great if this time around everyone got it right? What if we all created unique and strong passwords for each site so that in the event another vulnerability is identified. Then the overall risk to each individual user would be less?
Here are some tips for creating strong passwords:
– In short, the key is to create one separate unique strong password for each activity where you provide sensitive information for example when purchasing online, doing online banking, registering for classes, and email in the cloud (Gmail, Microsoft Office 365).
– A strong password should not be easy to guess and therefore shouldn’t include yours or your family’s address, birthday, anniversary, etc.
– It must be at least eight characters long and include capital letters, symbols and numbers.
– One way to apply these tips is to create a password family which makes passwords easy to remember. For example you could create a password family around automobiles. Bl&ckVo1vo (Black Volvo) might be for secure use such as your online banking and then R3dF#rr$ri (Red Ferrari) might be for more risky activities such as online shopping, and then perhaps email in the cloud could be Wh^t3Pri9s (White Prius).
A recent report from Enterprise Management Associates shows that password management is one of the top five security education topics that security officers want their end users to complete. Based upon the list of 25 worst passwords above I think we know why.
While software developers have a large role in rectifying the Heartbleed bug, the computer user community has a responsibility too. To learn safe behaviors, either on their own or through their employer, that makes it harder for cyber criminals to take advantage of them.
Joe Ferrara is the President and CEO of Wombat Security Technologies
Wombat Security Technologies is a leading provider of cyber security training and filtering solutions. Its software-based training solutions are designed to be engaging and effective, and have been scientifically proven to be significantly more effective than other traditional training solutions. Wombat’s anti-phishing filtering solutions have been shown to catch significantly more phishing attacks than other filters. Wombat’s products are used in sectors as diverse as finance, government, telecom, health care, retail, education, transportation and utilities.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.