Millions of people are being urged to change all their online passwords after a bug was discovered which enables hackers to steal information that is presumed to be protected by encryption on secure internet sites.
The Heartbleed bug, as it is now commonly known, is a serious vulnerability in the OpenSSL cryptographic software library, which is used to digitally encrypt sensitive information as it passes between computers. The vulnerable OpenSSL version was released in March 2012 and has therefore been available and in use for the past two years.
The Heartbleed bug allows an attacker to pull a small amount of data from a server’s memory space. There is a possibility that sensitive information can be stored in that memory location, and therefore any data on the server could be compromised. In worst case scenarios, server private keys, session cookies, or passwords could be at risk and the information would be stolen.
Computer security expert Bruce Schneier blogged: “Catastrophic is the right word. On the scale of one to 10, this is an 11.” Popular blogging site Tumblr, part of Yahoo!, also posted a warning to its users, encouraging them to update all of their existing passwords.
Now that most systems are being patched and with no way of knowing which sites might have been compromised, we are left in the uncomfortable position that we must assume all passwords that we have used on the internet could have been compromised.
Whether or not we believe our passwords have been hacked, it is always a good idea to change passwords periodically and replace old and weak passwords.
First of all, never use the same password for everything. Most of us disobey this one, so now that you are changing, take control and make them different in some way.
Don’t use personal information about you that is known. It’s easy for people to guess your favourite football team, dog’s name, children’s names or birth dates. Also, don’t write your passwords down and don’t let your internet browser save your passwords.
Protect your e-mail password the most – this is the way into almost all your other sites. The e-mail address is often your username and it’s where all the password reset e-mails get sent too.
Make your passwords long. The truth is that it’s far better to type a very long password than to use uppercase letters, numbers and symbols in a short password. As much as possible, do not use the secret questions option to reset your account. A lot of people get hacked because the secret answer to “Where did you go to school?” is quite easy to guess.
These tips mean that you now are supposed to remember 20 or 30 long and complicated passwords and change them every month or so. The best way to master this is to use long passphrases rather than passwords, which are made up of common words. Nothing that is related to you ideally but something you won’t forget, like a line from the national anthem.
If you must reuse passwords, there is a compromise. Keep your work, e-mail and internet passwords completely separate. Use this rule to create at least three long passwords and use them appropriately. Hopefully this will make it easier to remember just three passphrases without writing them all down.
Anything that needs additional safety, like internet banking, should be kept separate. Finally, if you must write it down, use paper and a sealed envelope and keep them locked up where only you have the key.
PwC provides information technology and information security advisory services to a wide range of clients in many business sectors. On public disclosure of the Heartbleed bug, PwC developed a methodology to assist clients in identifying, assessing and addressing the information leakage risks to their business.
PwC has also published a bulletin with more information and frequently asked questions on the HeartBleed bug at www.pwc.com/mt/heartbleed/.
If you would like to discuss the issues or other cybersecurity matters, contact PwC on malta.technology@mt.pwc.com.