The Passwords You Need to Change Right Now
An encryption flaw called the Heartbleed bug is already being called one of the biggest security threats the Internet has ever seen. The bug has affected many popular websites and services — ones you might use every day, like Gmail and Facebook — and could have quietly exposed your sensitive account information (such as passwords and credit card numbers) over the past two years.
But it hasn't always been clear which sites have been affected. Mashable reached out some of the most popular social, email, banking and commerce sites on the web. We've rounded up their responses below.
Some Internet companies that were vulnerable to the bug have already updated their servers with a security patch to fix the issue. This means you'll need to go in and change your passwords immediately for these sites. Even that is no guarantee that your information wasn't already compromised, but there's also no indication that hackers knew about the exploit before this week. The companies that are advising customers to change their passwords are doing so as a precautionary measure.
Although changing your password regularly is always good practice, if a site or service hasn't yet patched the problem, your information will still be vulnerable.
Also, if you reused the same password on multiple sites, and one of those sites was vulnerable, you'll need to change the password everywhere. It's not a good idea to use the same password across multiple sites, anyway.
We'll keep updating the list as new information comes in. Last update: April 12, 10:30 p.m. ET
Article from http://mashable.com/2014/04/09/heartbleed-bug-websites-affected
How to Protect Yourself From the Heartbleed Bug
An encryption flaw called the Heartbleed bug that has exposed a collection of popular websites — from Airbnb and Yahoo to NASA and OKCupid — could be one of the biggest security threats the Internet has ever seen. If you have logged into any of the affected sites over the past two years, your account information could be compromised, allowing cybercriminals to snap up your credit card information or steal your passwords.
You're likely affected either directly or indirectly by the bug, which was found by a member of Google's security team and a software firm named Codenomicon. The bad news: There's not a lot you can do about it now. It's the responsibility of Internet companies to update their servers to deal with Heartbleed, and once they do, you can take action (see below).
The issue involves network software called OpenSSL, which is an open-source set of libraries for encrypting online services.
Secure websites — with “https” in the URL ("s" stands for secure) — make up 56% of websites, and nearly half of those sites were vulnerable to the bug.
Secure websites — with “https” in the URL ("s" stands for secure) — make up 56% of websites, and nearly half of those sites were vulnerable to the bug. In theory, a cybercriminal could have exploited Heartbleed by making network requests that could piece together your sensitive data. The good news: There isn't any indication that a hacker caught wind of this; it seems the researchers were the first to locate the problem.
But the scary part is that attackers could have infiltrated these websites, extracted the information they wanted and left no trace of their presence. Thus, it's hard to determine whether someone ever exploited the bug, or if your account information was compromised.
What to do
First, check which sites you use are affected. If you don't want to read through the long list of websites with the security flaw, the password security firm LastPass has set up a Heartbleed Checker, which lets you enter the URL of any website to check its vulnerability to the bug and if the site has issued a patch. [Update: We've compiled a list of popular sites and whether they were affected.]
Next, change your passwords for major accounts — email, banking and social media logins — on sites that were affected by Heartbleed but patched the problem. That patch should also include reissuing any digital certificates that might be vulnerable. However, if the site or service hasn't patched the flaw yet, there's no point to changing your password. Instead, ask the company when it expects to push out a fix to deal with Heartbleed.
A big cause for concern is related to sites that have your sensitive information, such as Yahoo and OKCupid (most people aren't logging into NASA.gov with private data). Both companies have since issued a patch to fix the security hole, so users with accounts with those companies — including Yahoo Mail, Flickr and so on — should update their passwords immediately.
It's important to wait to get the "all clear" sign from a company or service before changing, especially now that this bug is out in the open. Changing a password before the bug is fully patched wont' make things any better.
Facebook and Twitter use OpenSSL web servers, though it's still unclear whether or not they were vulnerable to the issue.
Facebook and Twitter use OpenSSL web servers, though it's still unclear whether or not they were vulnerable to the issue. Facebook reportedly issued a security patch, as did Google.
Other websites that have issued an OpenSSL software security update include WordPress, Amazon Web Services and Akamai.
Some websites not considered vulnerable include AOL, Foursquare and Evernote, among others.
"It's a big deal for Internet users, especially when it comes to protecting financial information," Joe Siegrist, CEO and cofounder of LastPass, told Mashable. "Some financial organizations are using more conservative web security choices like Microsoft, which is not vulnerable to the bug, so users should check and see if their bank has been affected."
Make sure to keep an eye on sensitive online accounts, especially banking and email, for suspicious activity for the next week or so.
Article from http://mashable.com/2014/04/09/heartbleed-what-to-do
Check site security before changing your password
It’s not clear exactly which services were impacted, or what passwords may have been compromised. But if you have an account on Yahoo, OKCupid or Github—three popular sites known to have had the vulnerability (and patched it)—you should change your password on them as soon as possible.
Other big Web companies are taking steps to fix the problem. You can check if a service has updated its security by typing in its domain name at https://www.ssllabs.com/ssltest
If everything’s green, it has probably been fixed and you are clear to change your password. If the site is not in the green, hold off. Changing your password on vulnerable sites would either have no impact, or could potentially expose your new password.
Even without Heartbleed, passwords have never been more vulnerable, and you should change them for important accounts every 90 days.
Here’s what else you need to know today:
Turn on two-factor authentication :
Beyond using fresh passwords, it’s now important to adopt an additional defense, available on a growing number of sites, called “two-factor authentication.” (It also goes by “second factor,” “login verification” or by branding such as, in Bank of America’s case, “SafePass.”)
This option, now offered by many email services, banks and social networks, sends you a one-time code (usually via text message) every time you (or anyone else) tries to log into your account. You’ll need to type in that code to access your account.
Use at least five different passwords :
The biggest mistake you could make is choosing the same password for everything. If your password gets compromised on one site, someone might try to use it elsewhere.
Instead of trying to keep track of unique passwords for every site, memorize groups of them. Start with five key categories: banking, email, social networking, shopping and, finally, sites you visit very infrequently. Within those categories, you can make each password more unique by tacking on a character or two at the end specific to a site, like AZ for Amazon.com.
If there’s a breach in, say, one of your retail sites, you should immediately change all of the passwords in that group, though this strategy may have bought you a little time.
Choose strong passwords
What counts as strong? Longer is better; you’ll want passwords at least six to eight characters long that include numbers and characters. If your password appears on lists that hackers have exposed, you’ll need to start over.
Pet and family names are also a bad place to start because criminals might have access to your personal information. They might even be looking at your Facebook posts.
Unfortunately, sites and apps all have different standards. They also have different rules about the number and kinds of characters they’ll allow—some, for example, won’t accept uppercase, while others require it. A friend recently made a project of changing passwords on all 129 accounts in his life, and was ready to pull out his hair when he discovered one site would not accept the ampersand, while another wouldn’t accept a dollar sign.
It’s especially important to have unique passwords for email accounts, because hackers with access to your email can use it to initiate a “forgot my password” recovery process for other sites.
Some people also intentionally give incorrect answers to security-challenge questions on sites—What was your first car? What was the name of your first pet?—so that criminals with information about you still can’t guess the right answer.
There’s help to remember :
Writing down your passwords on something you keep in your wallet could put them at risk. But it is better to choose stronger passwords that you keep written in a safe place than to choose easily cracked ones that you memorize.
There are good ways to remember longer passwords, however.
The most basic trick is mnemonics. For example, choose passwords based around a phrase or random assortment of words you can remember. Or, use the first letter of every word from the phrase as your password. So, “I Left My Heart In San Francisco,” could be “ILMHISF.”
Don’t just stick to phrases and words that are true in your life. You can also remember phrases that are fabrications, like the wrong name for your dog, that criminals are less likely to guess.
Finally, some people invest in password manager services and apps, such as LastPass, PasswordBox and 1Password, which keep track of passwords and suggest especially strong ones.
Some security experts, though, warn against creating a single point of potential failure with all your passwords, especially if the service stores your passwords remotely. Still, they’re safer than just using “1234” or “password.”
Article Source from http://blogs.wsj.com/personal-technology/2014/04/09/how-and-why-to-change-your-passwords-today