I thought I would share some thoughts on the recent Heartbleed SSL flaw that comprised potentially half of the internet sites out there including many popular ones you and I use. From facebook, to twitter, to yahoo and many others. I spent essentially a whole day changing passwords of dozens of sites and even with all that effort, I believe one of those sites which holds some of my credit card info, was compromised.
I got a call from one of my credit companies this morning alerting me to some potential fraud transactions. They were in fact unauthorized and the account was quickly shut down and I deleted that information and changed the passwords for any and all associated sites with that card. The culprits only tried to buy some video games but it could have been worse.
Which brings me to 4 pieces of advice I wanted to share on password security. That have kept me safe on the internet for the most part.
- Use the longest most randomly generated password consisting of letters, numbers and any and all characters possible (i.e PeB*wREpRe+?fruSPesPaqA?uChe$we8). You can use a password generator like this one from Norton (Norton Password Generator)
- Use a different password on every single site. I know, “but how will I keep track of so many different and complex passwords?” You use a too like pwSafe (Password Safe) or lastpass that keeps track of all of your site user names and passwords for you. When a site gets hacked, you can relax because that is probably the only compromised, change the password and move. I prefer pwSafe because you can use a file that you self host and encrypt with additional security measures.
- Always use two-factor authentication when possible. This is the feature where you can get a one time code generated and sent to your phone to go along with your password and email for additional security.
- Do not store your credit card info with a site unless you absolutely need to, like in the case of auto-billing.
That’s about it. The most important thing to remember is that “password” is not a good password. Take the little bit of time it takes to secure yourself and not have major headaches later. My account was only tested today because I put in many precautions before hand. Had I not, they could have gotten me for a lot more.