Tuesday, 15 April 2014

Bleeding Hearts...

There is a great kerfuffle going around on the interwebz. There seems to be a serious security weakness in the OpenSSL software used by several sites which could render users vulnerable to having sensitive data such as passwords stolen.

Horror stories about viruses, hacks and impending meltdowns aren't exactly new, and I was tempted to ignore heartbleed as more of the same. But the acknowledgement by several of the big sites such as Google, Yahoo and Facebook that they have looked into the problem and applied security patches suggested that it was something to take seriously.

The problem is ostensibly very simple to resolve - by changing one's password. There is a catch: there is no point changing one's password unless the affected website has applied a security patch, otherwise the new password will be just as vulnerable as the old one.

Sophie Curtis of The Telegraph has provided a link to check a site's URL to see if it is affected by the bug. Even more helpfully, she has compiled a list of some of the more common websites with a summary of its status and whether or not it is necessary to change one's password.

I have to hold my hand up and admit that I have been shockingly lax in setting passwords - I basically had one for work and one for personal use, and I had been assured that they were "strong" passwords by each site on which I'd used them... the thought of trying to generate and remember unique passwords for each secure site I use made me blench. But since I now have to change my passwords anyway, I have bitten the bullet and set up a password manager which does the random generator thing for me. It even has an app for the phone. The disadvantage is that the master key which opens the password manager isn't stored anywhere. It's also an extremely time-consuming process.

Now I just have to make sure that I don't forget the master key...

No comments:

Post a Comment