The Heartbleed Bug is not specifically a digital marketing topic. However, I’m covering it for two reasons. First, any digital marketer is going to spend an awful lot of time online. This means that they will be particularly vulnerable to this bug. Second, I’m getting a whole bunch of emails and inquiries from people asking me what this thing is and what they should do about it. So in this post, I will briefly explain what the Heartbleed Bug is and, more importantly, provide some tips and guidance to deal with it.
What Is the Heartbleed Bug?
I’m not going to go into a ton of detail explaining what the Heartbleed Bug is. I’ll explain it briefly, and provide links to more in-depth coverage if you would like more information.
First of all, this is a software bug and not a virus. It’s a defect in something called OpenSSL, which is a critical component of the infrastructure that encrypts data on the Internet. This bug makes it possible for attackers to open a window into a website server and view its contents. The big fear is that those contents may contain your username and password. That’s why so many sites are advising you to change your passwords.
Here’s a comic that explains how the software defect works:
What To Do About Heartbleed
The main concern for you as a user is that your login credentials may have been compromised. The tricky thing about this bug is that it leaves no trace and it’s nearly impossible to tell if any data has been compromised on the server. Even if a website server has been patched, it just means that the window has been closed. It doesn’t mean that nobody has crawled through the window and rummaged around.
That’s why it’s highly encouraged that you change your password on compromised sites. You can find a list of compromised sites in this Mashable article – The Heartbleed Hit List: The Passwords You Need to Change Right Now.
For many people, this is a monumental task. But if you know a few tricks and shortcuts, it’s not so bad. So I thought I would share with you my password management strategy.
My Password Management Strategy
The first thing you need to do is select a strong password. And by strong, I mean at least 20 characters. The bad news is that there are many sites that won’t let you have a password that’s that long. Amazingly, banking websites seem to be some of the worst offenders. But whenever possible, choose a password that is at least 20 characters. For a long time, we’ve been taught exactly the wrong way to choose passwords. We’ve been told to use random combinations of letters and numbers and symbols. These are extremely hard to remember and not all that difficult for computers to crack.
So what’s a better approach? Well, here’s another XKCD comic to explain:
So whenever I need to generate a new password, I use this handy tool from Preshing on Programming. It does the work of selecting four random words for me that I can use as a new password.
Now that I have this password, I need to remember it. Except that I don’t remember any of my passwords. Well, that’s not exactly true, but for all of my vital logins (email, banking, WordPress, etc.) I use a unique password. And to keep track of all these unique passwords, I use an indispensable tool called LastPass. The service remembers all my passwords and has plug-ins for all major browsers as well as my android phone. It’s currently storing over 1,000 sets of login credentials for me!
LastPass also has some other very handy features. For example, it will perform a security audit and let you know if you have passwords that are easy to crack and/or too many websites that are using the same username and password combination. It even has new functionality for the Heartbleed Bug.
One last recommendation I have for you is to use two factor authentication whenever possible. As the name implies, two factor authentication requires something in addition to a password in order to gain access to an account. This usually means your mobile device. There are apps you can install on your phone (like Google authenticator), while other sites will send you a code via text message that you must enter in order to log in. You usually only need to do this once on a particular computer and it will then remember so that you don’t need to do this every time you login. But when and if someone tries to log in from another computer, that person needs to have your mobile phone in order to get in. It’s a great way to really lockdown your accounts and I highly recommend turning it on for email access in particular.
In summary, it may be a major pain in neck to change all these passwords and lock down your accounts. But it’s nothing compared to the agony of having one of your important accounts compromised. And if you’re a digital marketer, imagine having to explain to your client how someone hacked into their Twitter account and started sending out pornographic images or links to viruses. Better to be safe than sorry. So here’s my approach once more:
- Use long, unique passwords that contain four random, common words.
- Turn on two factor authentication whenever possible.
- Use a password management tool like LastPass to make life bearable.
Hope you found this helpful and be safe!