Streams

Change Your Passwords! (Heartbleed Explained)

Friday, April 11, 2014

A rendering of the Heartbleed bug.

A major security bug, called 'Heartbleed', has left much of our online information vulnerable to theft. Rusty Foster, a computer programmer and writer who wrote about Heartbleed for the New Yorker, explains what the security flaw means for your sensitive information - like credit card numbers - and what you need to do next. Foster also writes the daily "Today in Tabs" newsletter for Newsweek.

A Few Things We Learned from Rusty Foster

  • Change your passwords! There are some people who think that you should wait a few days, since there may still be people accessing your information, but Foster thinks it's a good idea to change the important ones right away.
  • Consult this Mashable guide, which is keeping track of which passwords you should prioritize.
  • Never use the same password for different important accounts! And try to make your passwords complex. 
  • Here are three "password safe" programs that will help you come up with and remember hard-to-crack passwords: 1Password | LastPass | KeePass

 

Guests:

Rusty Foster

Comments [25]

IRS, Healthcare.gov, & USAJOBS.GOV VULNERABLE ? from KEEP OUR DATA SECURE!!!


Has HEARTBLEED threatened Americans DATA SECURITY via
major GOVERNMENT websites like : the Internal Revenue Service's sites,
the Healthcare.GOV site and the USAJOBS.GOV site, etc ?

We need reassurances that this is NOT the case!
If all our confidential data given to the Government has
already "run out of the barn" this is VERY BAD!

ARE ANY OF THESE SITES STILL VULNERABLE ?

WHEN WILL OUR GOVERNMENT FIX THEM!

WE NEED TO KNOW!
Particularly before we send more data over them!

Apr. 11 2014 06:09 PM
ph

@GerryRL, using just a-z, A-Z, and 0-9 which is 62 different characters, there are over 218 TRILLION different 8-character passwords that can be formed. If you can check 100 passwords per second (which is not likely since there are delays in verification), it would take 69,000 years to go through them. Real hackers use much smarter techniques than trying every permutation.

Apr. 11 2014 02:53 PM
Dan from NJ from Red Bank, NJ

@Chris repeated the question of a caller: "if you use a SIMILAR password for different sites, such that you can remember them better, is that ok or do they need to be completely different". My input: when passwords are stolen, the attacker is likely to try to access that site in the future with that password, and other important sites (banks, email providers) with the SAME username / password pair. If it doesn't work, they'll likely move on. So while a completely different password is "best", even a small difference gives you A LOT of extra protection.

Apr. 11 2014 10:40 AM
Amie Macdonald

please explain - I looked up KeePass but didnt find a format compatible with MAC. Is there a free password manager recommended by Rusty Foster that is compatible with Mac OSX? Please advise! Thank you so much.

Apr. 11 2014 10:40 AM
Thornquist from Upstate, NY

I add another easy way of "encrypting" my passwords by simply not recording them, but rather recording a hint as to what they are, which is unlikely to be guessed by a hacker. In addition, I record the hint in a way that is unlikely even to be guessed. So, for example, I might have my password for Application XYZ recorded as "FU1 + ##" which stands for "Favorite Uncle followed by a 2-digit number" that only I know. I think when you make it so difficult and time-intensive to crack through this, a hacker is much more likely to just move on to someone else to victimize.

Apr. 11 2014 10:35 AM
Dan from NJ from Red Bank, NJ

@cament: There is one type of virus that your computer might have, called a "key logger". The cut-and-paste method might help protect your [typed] password from a keylogger. But it wouldn't if the key logger was already in place when you typed the password in to a file or "password wallet"! Also: if you have a key logger virus, you have even more problems than possibly using your passwords... so get a good virus scanner, and set it to run weekly.

Apr. 11 2014 10:32 AM
Fran from Westchester Co., NY

Is it possible that Heartbleed had something to do with the disastrous rollout of ObamaCare online?

Apr. 11 2014 10:32 AM

As a former programmer/systems analyst, I'm wondering whether a hacker could write a program that would attempt to logon to a website with all of the allowable permutations for passwords. I would guess this is possible. In fact, I'd be surprised if this has not yet been tried.

Apr. 11 2014 10:28 AM
Edward from Washington Heights AKA pretentious Hudson Heights

cament,

Typing a password makes it vulnerable to keystroke capture software or hardware.

Think of the Subway credit card skimmer hardware.

Apr. 11 2014 10:28 AM
Dan from NJ from Red Bank, NJ

Why use "open source" software? Which would make you feel safer: Would you rather live in a building where the superintendent 1) regularly allows fire inspectors and building inspectors access to check and confirm fire safety of the building? 2) keeps the building plans a secret, and never allows fire professionals to confirm the building is up to code? THAT'S why open source is better: if there is a problem, the more eyes that might see it, the better chance it will be fixed.

Apr. 11 2014 10:27 AM
John from Washongton, DC

Why does a password have to be hard to remember? If it's long with lots of different characters will a hacker identify why i could remember it?

Apr. 11 2014 10:23 AM
Baz

Can Rusty comment on the irresponsibility of the developers of OpenSSL? A LOT of things had to happen voluntarily on behalf of these developers that suggests this is more than just a "mistake".

Apr. 11 2014 10:22 AM
Chris

Speaker DID NOT ANSWER a good question that was just asked:

if you use a SIMILAR password for different sites, such that you can remember them better, is that ok or do they need to be completely different"

Apr. 11 2014 10:22 AM

Could you guest explain why it might be better to cut and paste usernames and passwords as opposed to typing them in?

Apr. 11 2014 10:19 AM
Amy from Manhattan

1. If you use alternative online services, like DuckDuckGo for searches & a smaller, more local ISP rather than 1 of the big names, does that increase or decrease the risk?

2. Would it work to switch the passwords you already have to different services, i.e., rotate them? That way you wouldn't have to come up w/an entire list of new passwords, but each one would be "new" to the service you now use it for. I keep a list of password clues that anyone else wouldn't understand if they found it, & I could switch those around along w/the passwords instead of starting over each time.

Apr. 11 2014 10:19 AM
stephanie from NJ

I use a Word document that can be opened by anyone but I use triggers for me to know what to type; like BronameYOB. Which would be James1979.
(I don't have a brother, so I'm not giving anything away.)

Apr. 11 2014 10:19 AM
Linda P. from NYC

Brian,

Like you suggested, I do write all my passwords down. I enter them into a word document but don't put the entire password in, e.g. if it's a word like "howdydo" I'll enter "h________o" into the list I maintain and that will be enough of a clue to me.

Is that wise?

Linda P.

Apr. 11 2014 10:18 AM
stephanie from NJ

I use a Word document that can be opened by anyone but I use triggers for me to know what to type; like BronameYOB. Which would be James1979.
(I don't have a brother, so I'm not giving anything away.)

Apr. 11 2014 10:18 AM
Debbie from UWS

Why does it matter if someone has my facebook password f I don't have my bank linked to it?

Apr. 11 2014 10:17 AM
Ed from Maplewood

Edward snowdon was a master at protecting his stuff with eloborate encription before he went public. So my question is WWSD? What would Snowdon do!? thanks. Ed

Apr. 11 2014 10:17 AM
Nancy from NYC

I don't think it's bad to write down passwords on a piece of paper so long as you don't simply write down the password but instead just give yourself hints.

For example, I might write down a password as: childhood best friend's dog's name plus first 3 digits of childhood phone number plus symbol.

Apr. 11 2014 10:16 AM
Ben from Westchester

Brian, important that you note that you need to change your bank password if it is a password you also used at Facebook.

For example, if you used the password "BrianLehrer" at Facebook, and Heartbleed exposed this plus your email address to an attacker, then you may have also used "BrianLehrer" at your bank. The attacker could take your email and "BrianLehrer" and try it at every major bank to see if he can get in.

Apr. 11 2014 10:11 AM
fuva from harlemworld

Makes me wonder, once again, how much of a threat to society complexity (financial sector, IT, sociopolitical/economic issues, etc.) is. Increasing with complexity, are the distractions that compromise our competency in dealing with it.

Apr. 11 2014 10:09 AM
Matt C from Jersey city

Once heard long passwords are safest. No need for funny characters because computers are aghast enough to test those, too. So manhorsehouseburp is better than 2fuN$$#. True?

Apr. 11 2014 10:05 AM
Alistair from Inwood

If https has not been patched is there any point in changing passwords? Won't the the info be just as vulnerable?

Apr. 11 2014 10:03 AM

Leave a Comment

Email addresses are required but never displayed.

Get the WNYC Morning Brief in your inbox.
We'll send you our top 5 stories every day, plus breaking news and weather.