What You Should Do About the OpenSSL/Heartbleed Security Problem

By now you have probably read the news and seen the warnings about the OpenSSL Heartbleed security vulnerability that is present in certain versions of the software that powers 66% of the internet.

~

By now you have probably read the news and seen the warnings about the OpenSSL Heartbleed security vulnerability that is present in certain versions of the software that powers 66% of the internet.

Here’s what you should now do:

If you’re not a server admin then check the websites you frequently use at http://filippo.io/Heartbleed/. If the site shows as ‘seems safe’ then login and update your passwords to something secure and that you have not used before. Nearly every large tech company has recommended resetting your passwords.

Read the BBC article Heartbleed Bug: Public urged to reset all passwords for more information.

As noted in the above BBC article:

The University of Surrey’s Prof Alan Woodward is among security experts to have suggested internet users should now update their login details.

He suggests the following rules should be observed when picking a new password.

Don’t choose one obviously associated with you

Hackers can find out a lot about you from social media so if they are targeting you specifically and you choose, say, your pet’s name you’re in trouble.

Choose words that don’t appear in a dictionary

Hackers can pre-calculate the encrypted forms of whole dictionaries and easily reverse engineer your password.

Use a mixture of unusual characters

You can use a word or phrase that you can easily remember but where characters are substituted, eg, Myd0gha2B1g3ars!

Have different passwords for different sites and systems

If hackers compromise one system you do not want them having the key to unlock all your other accounts.

Keep them safely

With multiple passwords it is tempting to write them down and carry them around with you. Better to use some form of secure password vault on your phone.

If you are a server administrator, make sure your openssl libraries are up to date using yum/rpm/apt or your package manager of choice and then test your sites using the tool above.