Heartbleed and Personal Password Management

Heartbleed has forced me to write about personal password management again. While we've made some advances toward multi-factor and biometrics we haven't come far enough.

"I've written (2005), and written (2012), spoken (2009), and taught (2006) about password management in the past. I continue to believe that password-centric authentication systems are limited in their ability to provide much assurance about a person's claim on an given digital identity. Any information system requiring more than a basic level of assurance must use stronger multi-factor authentication mechanisms that incorporate things like one-time passwords and biometrics. However, passwords will continue to be part of our lives until stronger authentication mechanisms become more pervasive; and this won't happen until these systems combine the qualities of integribility, supportability, and usability." -Me, back in 2012, read more

So here we are in 2014 and the Heartbleed recovery effort is causing us all to change a bunch of passwords. What a mess and what a reminder that personal password management is still a big big problem. Even IT people still have the idea that all passwords should be "impossible to remember and never written down." Which is of course ridiculous. I heard as recently as today of an IT person using the "categories of passwords" approach.

So let me give you some brief advice as you recover from Heartbleed with the rest of the world.

  1. Get a password manager and set it up with a strong master password.
  2. Use a Heartbleed tester to check popular sites. First use this one to see if the site uses OpenSSL and then use this one to see if it's actually vulnerable.
    • If a site you use is still vulnerable, don't use it until it's, keep retesting it until it is no longer vulnerable.
    • If a site is no longer vulnerable, change your password (a unique password for every site, thus the reason for the password manager).
  3. Enable multi-factor or two-step authentication on all sites that offer it (e.g., Google, GoDaddy, LastPass, Dropbox, etc.)