Unless you’ve been living under a rock the past few days, you are aware of the uproar around the Heartbleed security flaw. This is a very serious security hole and has rightfully gotten very close attention from the Internet community. In the wake of the disclosure, there has been a general call for people to change all their passwords which for many of us would be a full time occupation for several days! What is needed is a list of sites affected by the Heartbleed bug so that we can intelligently focus our efforts.
Fortunately, such a list has been produced and published on Mashable.com. Needless to say some very high profile sites are listed and are the ones that need attention soonest. The article is here:
Please address this now while you’re thinking about it. While the odds of your credentials having been exposed are small, we don’t know how long Heartbleed has been known to the bad guys and whether or not the sites listed have been exploited.
Do I Have To Change My Passwords?
Several clients have asked it it’s necessary to change passwords. My answer has been that it can’t hurt to do so as most of us, myself included, do not change passwords often enough. If you haven’t changed your important passwords lately, it’s probably time to do it.
Consider Two-Factor Authentication
Google has offered two-factor authentication for some time. I know some of my clients have used it and I’ve put it off, but have now implemented in on my account. It’s extremely effective because it’s unlikely that someone would have stolen your password and have access to your phone at the same time.
Yes, it’s a bit of a hassle because in order to log in you have to not only enter your password, but you have to enter a code that Google sends to your phone via text or voice (your choice). The good news is that once you have completed the process on a given computer and told Google that you trust the computer, you don’t have to enter the code again.
Unfortunately, there are applications that want to interact with Google outside the browser which have no way to request the verification code. For these, Google provides application-specific password capability where you assign an additional password to the application in question.
Be safe out there!