Stopping a Heartbleed
Getting to the Heart of a data protection problem with Chris Russell
As some of the most-frequented sites on the web, Google, Facebook and Yahoo can be trusted to protect our data, right? Wrong.
These sites, along with almost half a million others, use OpenSSL open source encryption, which is what's vulnerable to the Heartbleed bug.
This bug may have been crawling through our web servers for two years, giving hackers plenty of time to get their grubby mitts on our personal information.
Some sites have been patched, but not others. And since the news broke, the web has been flooded with confusing advice, particularly on whether or not we need to change our passwords across all our web applications.
Some say change your password right away. Others advocate waiting until all your sites have been patched – ensuring you don't risk your new password falling into villainous hands.
Then there are the soothing words of Google, which has claimed there is no need to change passwords at all. Unless, it adds quietly, you have been foolish enough to reuse your "secure" Google password on other websites.
If this is you, then sound the alarm. Oh, well.
Time for a reality check. Due to the sheer volume of passwords the average web user is now required to use, many do reuse passwords across multiple sites.
We believe, in fact, that almost a fifth of employees may care so little about online security that they reuse the same username and password across every single online business and personal application.
The posturing has to end. It's all well and good telling us to change our passwords across all our applications, but most of us are going to push that little flash of guilt to one side and reuse our new password across the board once again.
Help may be at hand, however, with new password manager websites popping up all over the internet. These sites claim to store your details securely and help generate complex, highly secure passwords as a result.
But wait, how do you get on these sites? It isn't – It couldn't possibly be – with yet another password? It is.
My advice? Scrap passwords altogether. The inconvenient truth is that web users are neither capable nor willing to maintain the complex, rolling system of passwords that today's web environment has demanded.
It has been proven over and over again that passwords are no longer fit to secure the increasing amount of personal data we now store online and in the cloud.
We recommend multi-factor authentication, of course.
Chris Russell is chief technology officer at Swivel Secure