Are you in the habit of regularly changing the passwords for your online accounts? You should be; changing passwords regularly is a required part of every wise Internet user’s safety routine.
The reason for changing online account passwords is simple: the Internet bad guys are always stealing somebody’s password. A few here, a few there, sometimes by the hundreds or thousands, sometimes in batches of a million or more. The crooks can’t use or exploit all those passwords at once, though, so they store away the bulk of them to be used in future crimes. Hopefully, by the time they get around to trying yours, you have changed it, and it’s no longer valid. “Curses,” you hope they will say, “Foiled, again!”
Just in case you need more motivation to change your passwords, here’s the latest, extra reason: Heartbleed. If you’ve seen or heard the news this past week, and the reports were at all accurate, you know that Heartbleed is not a malady that afflicts the human body. Instead, Heartbleed is the latest programming flaw and security hole that could allow the bad guys to steal your passwords.
In a nutshell, Heartbleed is a mistake, a programming mistake in an encryption program called OpenSSL. SSL is the major protection scheme used by online banks, stores like Amazon, and email services like Yahoo. When you go shopping, banking, Facebooking and emailing on the Internet, SSL (Secure Socket Layer) is what provides the “https” in the address and the little lock symbol that’s supposed to indicate you are using a safe, secure connection.
OpenSSL is one of the most widely-used versions of SSL out there, and it’s the one with the Heartbleed problem. Affected major sites include Facebook, Instagram, Tumblr, Google+, Gmail, Youtube, Yahoo, Godaddy, Etsy, Intuit, Turbotax, Yahoo Mail, Netflix, Pinterest, Dropbox, LastPass and thousands more.
Some folks like to argue and say, “Why, I don’t use a password for my email (or Facebook, or whatever). I just click ‘the button’ and it takes me there.” Au contraire, mon frère, just because you don’t see it doesn’t mean it’s not happening. In reality, when you click “the button,” because you previously instructed it to remember your password, so you don’t have to type it in every time, it sends your password behind the scenes to a computer server located somewhere on the Internet. The password then knocks on the door and says, “Hello! I’m a password; let me in and give me my stuff!” That’s how it works.
Some of the news reporting on the Heartbleed problem has been, shall we say, less than accurate. Some reports have even called it “the Heartbleed Virus,” but it’s not a virus; oh, that it were. That said, it is a very serious problem that has the potential to make problems like the Target hack look like chump change.
Two things will abate the Heartbleed problem: action by website owners and action by us, you and me, the general public. For websites, particularly those which have any sort of sign-in function, it means updating to a secure version of OpenSSL, as well as patching things like switches and routers. Testing should be done to make sure things are in order. Encryption keys and certificates should be changed, also. Fortunately, by the time you read this column, most major websites will have done these repairs.
For the rest of the world, meaning us, the end users, the general public, there is still one thing we must do, even after the websites have fixed their part: change the passwords to all of our online accounts. Yes, taking into account the exceptions listed below, all of them should be changed. Every single one. Email, banking, investments, credit cards, shopping, it doesn’t matter. It’s the only way to know for sure that you have done what you can do to protect yourself. Yes, it’s that serious. No, I’m not kidding.
As of this writing, websites known to be immune to the Heartbleed problem, that do not need password changing because of this particular issue (but should still be changed from time-to-time) are AOL, Mapquest, Apple, Amazon.com, Bank of America, Charles Schwab, Chase Bank, Fidelity, E*Trade, HSBC, Capital One, Citigroup, Groupon, Target, Walmart, Microsoft, Hotmail, Outlook.com, PayPal, Scottrade, TD Ameritrade, Wells Fargo Bank, and U.S. Bank. All other websites should be considered suspect, and the passwords should be changed.
New information released today (Friday, 4-11-14) shows that some devices, such as smartphones and tablets, may have Heartbleed bug problems that need to be fixed, as well. Apple iOS devices, such as iPhones and iPads, are not affected. Windows phones are not affected, either. Blackberry devices are “currently under investigation.” The problems mainly affect Android smartphones, especially those using Version 4.1.1. There is a Heartbleed detector that you can download from the Google Play store that will check your phone and tell you if you have 4.1.1 or not. Send me an email and I will send you a link to a complete list of things to look for.
You still need to change your passwords. You should be changing your passwords regularly, anyway, so you should have the procedure down. Sure, it’s a hassle, but not as much of a hassle as getting ripped off by the Russian Mafia, or discovering that your investment accounts have been drained, or finding out that someone bought a car using your identity. Please, make us both happy; be a victor, not a victim.