My son sent me a very detailed email that is so important I had to share it.
Those of you who are tech savvy will have read about this, but for those of you haven’t read about it, please pay attention, as this is extremely important.
On or about April 7, 2014, security researchers found a dangerous vulnerability in something known as OpenSSL. OpenSSL is a popular encryption software used by many online service providers. When you use a website such as Gmail or log into your bank’s website, you will likely see a green lock in your address bar (like this: http://d.pr/i/rhX2). This signifies that the information being transmitted to the service and back to you is secure (in layman’s terms, it does this by “locking” the data with a special code that only the receiving party knows how to unlock. If someone tries to steal the data while it’s in transit, they don’t see any of it because it’s locked.)
These security researchers found a vulnerability in which someone could trick the server into releasing some information. This vulnerability has reportedly been left undiscovered for nearly 2 years. OpenSSL is the most popular SSL software in the world, so you can see how this is incredibly dangerous.
Most popular sites are no longer, or were never, vulnerable (e.g. Google, Facebook, Twitter, Citibank, Chase, Amex, etc.)
That being said, this next part is important:
Please change all your passwords. Even if a site like Google is no longer vulnerable, there is no way to know if they were vulnerable in the past two years, and if so, for how long. Better to be safe than sorry.
If a site is still vulnerable, do not visit it until it is fixed. If you find out a service you use is still vulnerable, stay away from it until it’s been fixed. Only then should you change your password. If you change your password while the service is vulnerable, it would be a moot point since someone could still steal it, since it’s still vulnerable.
If you want to check if a service you use is vulnerable, use this tool: http://filippo.io/Heartbleed/
If it says the service is no longer vulnerable, don’t just do nothing. Change your password!
At this point, most services have repaired their vulnerability issues. They will be in the process of revoking their certificates (keys) and issues new ones to everyone.
Now, this brings me to my next point.
Please, please, please, please use safe passwords.
What is a good password?
Here’s a good example of what constitutes a good password: http://xkcd.com/936/
Here’s how I make my passwords:
First of all, I don’t have one password for everything. I have different classes of passwords. For example, I have one class of password for my bank accounts, one class of password for my social media sites, one class of passwords for email accounts, etc. This makes it easy for me to remember which base password to use for which service.
What, base password?
Yes, base password. Here’s what I mean by that:
Let’s say my social media base password is “bluerugcocoaplastic”. Now what do I do? I add an additional element to it. At the end of it, I add a differentiator.
For example, for Facebook, I’d type in “bluerugcocoaplasticfacebook”. For Twitter, I’d type in “bluerugcocoaplastictwitter”.
It doesn’t have to be the name of the service you’re using. You can use a kind of “code” that only you know, something you associate the service with. You can just use “face” for Facebook, “city” for Citibank, “bird” for Twitter, etc.
Why is it so important to be vigilant about my online passwords?
Well, you don’t have the same key for your safety deposit box, car, front door, back door, garage door, do you? Why should it be the same for your online passwords?
Well, the Internet seems like it’s too much trouble.
Perhaps. Lest we forget, the Internet is still in its relatively early stages in the grand scheme of things. It’s been only, what, 20-30 years since the commercial sector began monetizing the Internet?
And for God’s sake, don’t tell anyone else your password over the Internet unless you know how to use private key encryption. If you absolutely must tell your SO or anyone your password, write it down on a piece of paper, or tell them over the phone (but make sure nobody else is listening, duh).
Here’s a good analogy to help understand what the Heartbleed vulnerability is:
Let’s say someone realized the most popular lock manufacturer in the world accidentally had a hidden part of their locks that sometimes will force the lock open without the key. That’s no good, is it? So now the lock manufacturer has to send everyone new locks and new keys, and you need to replace all your locks and keys.