PUBLIC SERVICE MESSAGE
Rather than worry about Heartbleed, here’s what you need to do, so that you care a lot less the next time this happens.
Which will be < 2 years from now, virtually guaranteed… something like this will affect you again.
(1) Download and install a secure password database manager, like PasswordSafe, available for Android and iPhone. Make sure that the implementation of your password safe is reasonably secure, if you want to use one other than this one. That exercise is left to the reader.
(2) Install PasswordSafe on your phone. You can install it on your computer, too. Choose one legitimately hard password to protect the safe.
This part is seriously important… your phone keyboard is annoying and toggling back and forth between sub-keyboards for special characters is annoying so do something like this if you’re not the breed of cat who can remember and type complex passwords on annoying keyboard interfaces.
Write this password down, and put it in a secure physical location where your spouse can find it if you die suddenly, because they may need to get access to your stuff for a large number of reasons.
(3) Go through your list of web sites, and take the time to change every password at every site. Store the changed passwords in your Password Safe. There are fields in Password Safe that let you store additional information: URLs, security questions, email accounts associated with that site, etc. It’s awesome.
(3.a) Consider taking the time to create a brand-new email account, which you will only use for site registrations. Don’t use it for anything else. This has two big bonuses: one, if someone hacks your normal email, which you use every day and thus it is more likely to get hacked than anything else, they can’t get any passwords sent to them; two, it cuts down on annoyance emails from web sites getting into your main account.
(4) Set a reminder in Google Calendar, or whatever calendar program you use, for 1 year from now. In a year, change all your passwords again. Do this religiously from now until you die or two-factor authentication becomes pervasive.
This is the requirement for leading even a minimally secure life in the digital age. Think of it as enjoyable as renewing your Driver’s License, if you want, but just do it already.
(5) Back up a copy of the data file for Password Safe off of your phone. Don’t worry, the file itself is encrypted, so assuming you chose a really good password in step (2), even if you lose the backup file nobody will be able to crack into it.
(6) If you’re using a web site that has any – and I mean ANY – limitations on the types of characters that you can use in your password, or has any limitations on the total upper length of the password, or allows passwords fewer than 8 characters…
Seriously consider dropping that web site. They are doing it wrong.
I need to do my post on “How to organize your email and stay sane (or at least how I do and did)”
It starts with 3a, though doesn’t end there.Report
That’s it! I’m building a cabin in the woods and dropping out.
(Glad I can’t hear clapping over the internet.)Report
I’ll edit your manifesto.Report
I’ll subscribe to your newsletter.Report
I’ll add the image and the excerpt so that it’s ready for posting.Report
There is no such thing as contrails!Report
I’ll help you build the cabin.
In fact if you come to Michigam, I already have access to one on 70 acres.Report
Excellent work, Patrick.Report
Secure passwords are good to have. Password safes are a great way to facilitate their use.
But using a secure password provides approximately zero protection against Heartbleed, and the many similar server-side vulnerabilities that have occurred in the past and are likely to occur in the future.Report
Good password management does cut down on your exposure, though.
Plus, you need to get in the habit of changing your passwords anyway, as long was we’re stuck using them.Report
At least for Android, there is an app calls PasswdSafeSync, which does what it sounds like – syncs your password safe to a cloud storage location. If you are like me and too lazy to properly manage manually copying the password safe off the phone and backing it up every time you add or change a password, that’s a reasonable next best thing.
Also, for large changes, it’s way nicer to be able to use the desktop version of passwdsafe, with a proper mouse and keyboard. The updated version will then synchronize itself to your phone.Report
Re (6) – Sadly, that’s both my banks.Report
For #6: It’s amazing how bad real honest-to-God financial companies are at this stuff. My favorite one that I experienced fairly recently was that the password had to *start* with a letter. Clearly this wasn’t done to enhance security (and if it was, whoever thought it would is stupid), so what does it mean? What kind of funky code are they using that gags on strings that begin with a character other than a letter? Who knows how deep the rot goes?Report
I’ve been using a program/plugin called PasswordMaker for several years. What it does is concatenate the site URL + username + master password and then generate a one-way hash. Then that hash is bounced against a character set to create the password.
The trick here is that the actual passwords aren’t stored anywhere, just the parameters to generate them. And those parameters are adjustable nine ways to Sunday; length, character set, prefix, suffix (before or after hashing), etc. The generated passwords are just naturally nice, strong strings of gobbledygook. And, of course you can back up the parameter file and transfer between machines.Report