The newly discovered Heartbleed bug is being touted as the Web’s worst security bug ever. So, I decided to write a series of 3 posts explaining what it is, which sites are affected and what you should do to protect yourselves from this “Greatest Virtual Horror of All Time.”
Because this “bug” is so specific, the number of servers actually affected is significantly fewer than many thought originally. In fact, while some estimates mentioned that 60% of all Internet servers had the Heartbleed bug, Netcraft says the number should be much lower, and under 17.5% (well, that’s still a lot of servers, but still less than 60).
After the discovery of the bug, the OpenSSL software was rapidly patched, and as of version 1.0.1.g the problem no longer exists. Even before that, if the OpenSSL software was installed without the heartbeat extension, the server never would have been vulnerable.
If you need the TL;DR, here it is: Do not panic.
Now, the important question is if you should worry about this problem? The short answer is: “yes, but don’t panic”. You should definitely change your passwords at least for the services confirmed as vulnerable but have now been fixed, such as Google and Yahoo!. But you should be changing your passwords regularly no matter what. If you have trouble remembering your passwords, you can always use a password manager such as LastPass[Mac/PC/iOS/] or 1Password[Mac/iOS]
(REMEMBER: Never write down your passwords on a Sticky note next to your monitor, a notepad, or a document inside the computer).
This password changing recommendation is nothing but a precaution, because even if hackers knew about the problem (something that hasn’t been confirmed –- aside from by our friends at the NSA, apparently), the chances of them getting your password, and being able to match up that data to your username are pretty slim. Some people claim that the encryption certificates for servers (a technology that allows us to confirm that a website is in fact what it says it is) could have been stolen, but the company CloudFlare has said it’s very difficult to do. It published a challenge to whoever could steal this key, and it appears that someone did, during a server reboot. Regardless of the probability, companies are changing encryption keys so new data is not vulnerable if somebody was able to obtain the old keys.
But this is gonna take forever!
Don’t worry, to help you on your password resetting chores, I’ve compiled the best tools to make the process as quick and painless as possible. Also, they’ll sync your new passwords to your iPhone/Android — all in under 10 minutes.
Fixed Heartbleed Sites:
The following sites were vulnerable to the Heartbleed bug but have since updated their servers to fix the hole and are advising users to update their passwords.
The links below will take you directly to the site’s password reset page once you log in, saving you further clicks.
Facebook’s password reset page
Instagram’s password reset page
Pinterest’s password reset page
Tumblr’s password reset page
Google/GMail’s password reset page
Amazon Web Services
Amazon Web Services’ password reset page
TurboTax’s password reset page
Dropbox’s password reset page
OKCupid’s password reset page
SoundCloud’s password reset page
GoDaddy’s password reset page
Minecraft’s password reset page
1Password & 1Password Extension – There is no magic button to reset all your passwords at once but the tools from 1Password make the process a lot quicker with password generation features, auto-filling and synching to the iPhone app.
Safari & iCloud Keychain – Safari’s new iCloud Keychain features can also auto-generate passwords, auto fill forms, and sync your info across devices. It’s not as feature rich as 1Password, but it’s free and you can sync your data with 1Password via iCloud.
DiceWare (optional) – If you have a hard time remembering the random generated passwords created by iCloud Keychain or 1Password, DiceWare has a random generator for passwords that are easy to remember.
1. Install the 1Password Extension
2. Click the links above to go straight to the Password Reset page of your vulnerable account
3. Log in
4. Click the 1Password extension button to generate a new secure password or create your own
5. Hit Autofill
6. Select Save Changes on the website
7. Select Update on the 1Password Update Login prompt
Once you’ve updated all your passwords, you can use 1Password for iOS or Mac to view and edit login credentials and sync the new passwords across all devices.
1. Enable iCloud Keychain on Mac by going to System Preferences >> iCloud >> Keychain
2. Open the links above in Safari to go straight to the Password Reset page of your vulnerable account
3. Log in
4. Reset your password by clicking the Auto-Generated Password or by creating your own
5. Save changes and repeat with next account.
Ensure that you have iCloud Keychain enabled on iOS by going to Settings >> iCloud >> Keychain. Once you’ve reset all your passwords, iCloud will sync the new info to your iPhone. You can also search through and edit your passwords under Settings >> Safari >> Passwords & Autofill >> Saved Passwords.
For Windows/Android Users
[Price: Free / $29.99/year]
Dashlane is another very popular and very solid password manager app that’s made top lists before in this category. This one has more unique features including auto-login on websites and apps, compatibility with Google Authenticator, a password generator, and auto-locking with a PIN. The only caveat is that there is a subscription service that costs $29.99 per year or about $2.50 per month. Dashlane does come with a better looking interface than most and the feature set is more than you’ll see with many others. If you’re okay with shelling out the money every year, this is a great option to entertain.
[Price: Free / $12/year]
LastPass is an increasingly popular, cross-platform password manager. The desktop version is actually free while the mobile version is $12 per year or $1 per month. It features a recently re-designed UI that doesn’t look bad, a password generator, a built-in browser so you can auto-login to sites if you so choose, and even support for tablets. This is a popular option because it’s very simple and there are LastPassplugins available for Chrome and Firefox should you want it there (which we recommend). It’s solid, it’s simple, and it’s powerful. Definitely worth trying out the 14-day free trial.
[Price: Free / $19.95]
mSecure is among the most popular on the list and you’ll likely see it on all the other lists like this one too. It’s cross platform with desktop versions. Everything together costs $19.95 but they frequently have sales which is nice. It comes with an exhaustive list of features and they include a password generator, auto-lock, auto-backup, a self destruct if a hacker tries to gain access to it, categorical organization, tablet UI support, Dropbox sync, and a whole bunch more. Really, the list is pretty impressive. You do get a free trial so you can try it out if you want and we recommend you do.
Check out the previous parts of the series:
If you like my articles don’t forget to Like, Share and Tweet!