The BBC and other media networks carried a news story this week about a new vulnerability, the Heartbleed bug, that has been discovered in a widely used, but probably unknown to most, software library.
OpenSSL is used on around 66% of the internet to protect sensitive information (names, passwords, etc.) when it passes from one server to another. A fix is available, which all providers are now applying. As a result of this, you might be advised by your cloud service providers to change your password. For example, I just received an email from Bufferapp.com (if you have a number of social media accounts you should check Buffer out). They had to apply the fix and advised me to change my password – which I have done!
You should also think about your website.
Those of you who host your site with DMJ are not affected – the version of OpenSSL we use is not vulnerable to this attack. However, if you host elsewhere it might just be worth pinging an email to your web hosts to ask if you need to reset your account password.
Sensible advice about passwords
Everyone should be aware of just how easy it is for malicious ‘types’ to bombard email accounts, social media accounts, and websites with login attempts using popular username and password combinations. As these attempts are typically automated, hackers can submit thousands of login attempts in the space of a few seconds. So, if you have an easy-to-guess username and password you are easy prey.
So here are our common sense top password tips
1. Don’t use an easy-to-guess password – here’s a list of the 25 worst passwords. If your password is on this list please come and see us after school. There are plenty of online password-generation services if you cannot think up anything original;
2. Use 2-step authentication whenever it is offered to you – even if it looks like a pain to install;
3. Try not to use the same passwords for different applications;
4. Don’t share your passwords with other people – or if you do, remember who they are in case you ever fall out;
5. Don’t assume your passwords are safe if you store them on a Cloud application (such as Dropbox). Take a look at Spideroak if you want to store sensitive data in the cloud.
You might also want to look into using a service such as LastPass to store your passwords.
Edited: Mashable is maintaining a list of sites where you’ll need to change your passwords here.
What services do you use that have been affected? Did they report anything more serious than a ‘please rest your password’?
Drop a comment below to let us know.