The Heartbleed Bug and Password Reuse, Recipe for Disaster

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
If you have the habit of using the same password everywhere, you are at risk for identity theft and a breach in post Heartbleed scenario.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

The ‘Heartbleed bug* is perhaps the hottest topic in all types of media – print, electronic, social, and others. This serious flaw in OpenSSL’s TLS implementation is perhaps the biggest vulnerability in Internet history and has sent panic waves throughout IT and consumer communities alike.

During the past few days, you have probably come across information about the Heartbleed bug many times and been swamped by vendor advisories prompting you to change your passwords. The Heartbleed bug had been around for nearly two years unidentified, and it is not immediately known if the bug had been exploited against any web application anywhere. So as a precautionary measure, vendors are suggesting you reset your passwords after patching their applications and fixing the vulnerability.

Heartbleed bug and password reuse 

heartbleed-bug

When you receive an advisory on the Heartbleed bug from a software application provider, you’re likely to promptly change the password in that application or site and feel secure. But the harsh truth is that your entire online life could be at risk. This is because most of us tend to use the same password on all websites and applications.

So if a hacker succeeded in cracking your password exploiting the Heartbleed vulnerability in one site or application, the hacker actually obtained the ‘master key’ to access all your accounts – even those that are not vulnerable to Heartbleed.

In one of my previous blog posts, I had listed some high-risk scenarios, which are relevant here:

  • You are using the same password everywhere – social media accounts, web applications, service portals, bank accounts, online financial accounts, etc. A password harvested at one place exploiting the Heartbleed bug could potentially give the hacker access to all your other accounts and even lead to draining your bank account!
  • An employee of your organization has used the same password for personal and social media accounts as well as work-related web applications, email, and VPN. Data exposed at just one site (due to scenarios like the Heartbleed bug) could invite hackers to your organization’s doorstep.

So when security incidents happen at one place, you should essentially reset the passwords of all other online accounts, too. But before you could do that, you should have the list of all online applications in which you own an account.

Post-Heartbleed: What should you do to prevent any possible security incidents?

You should check if any of the online or web applications you use are or were vulnerable to the Heartbleed bug. If they had been vulnerable, you should act in accordance with the respective vendor’s security advisory and change the password. In addition, if you have used that password in any other applications, change the password for each application — even if the other applications are or were not vulnerable to the Heartbleed bug.

Irrespective of whether vulnerable to the Heartbleed bug or not, as a precautionary measure, all vendors are now advising their customers to reset passwords to prevent any hacks in future. Once a vendor advises you to reset the password of a site/application, you should assign a unique, strong password. Note that I have specifically mentioned “once the vendor advises” because changing your password on a particular site offers protection only if that site had already patched their systems to fix Heartbleed vulnerability.

You should ensure that you assign a unique password for every website and application. When there is news of a password expose or hack, you can just change the password for that site or app alone. Changing passwords frequently is a highly recommended habit.

But, here comes the problem: You will have to remember multiple passwords, often tens or even hundreds of them. It is quite likely that you will forget passwords, and at the most needed occasion, you will struggle logging in and succumb to password fatigue.

Heartbleed bug should serve as an eye-opener: Use a password manager 

Just like you have an email account, consider using a password manager too. To combat cyber-threats, proper password management should ideally become a way of life. Password managers like Zoho Vault help you generate strong, unique passwords and also help securely store all your logins and passwords.

Let the Heartbleed bug serve as an eye opener and encourage you to do away with the dangerous practice of password reuse. Now is the perfect time to initiate steps to proactively protect your passwords and seriously consider deploying a password manager.

Bala
Zoho Vault – Online Password Manager for Teams

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

P.S 

* If you are wondering what this Heartbleed bug is all about, this is for you: In simple terms, OpenSSL’s software library powers HTTPS implementations for websites and applications and helps secure the transmission of information to and from servers. The Heartbleed bug allows anyone on the internet to read the server’s memory. Typically, hackers could gain access to the information that goes to or called by the server that makes use of vulnerable versions of the OpenSSL software.

Comments

Leave a Reply

Your email address will not be published.

The comment language code.
By submitting this form, you agree to the processing of personal data according to our Privacy Policy.

Related Posts