Your weekend project: Update all your passwords

Cynthia CloskeyGeneral

Old keys by asdcjasdcj on Flickr

As you may know, the code that secures many websites was discovered to be vulnerable, and many, many users’ passwords were leaked.

When I say “many websites,” I mean big sites that you may use, sites like Facebook, Instagram, Pinterest, Google, Etsy, and Yahoo. When I say “many users’ passwords,” I mean yours and mine.

Find out more about it all by searching the phrase “Heartbleed bug.” An official page about it is here: Heartbleed bug. But that page is a bit too technical for the average reader. Clearer explanations for the public can be found on Lifehacker, the New York Times, and elsewhere.

What this means for you is that you need to change your passwords on all sites that are affected. You can wait until the site has fixed the problem (all sites are moving at their own pace on this), or you could change it now and change it again after the problem is fixed. Mashable has a list of affected and fixed sites that you can use to see when and where to change your password. You can also check yourself to see if a particular site is vulnerable by putting its address in here: http://possible.lv/tools/hb/

The problem is bigger than that even: If you use the same password for all your logins, then you need to change your password on all the sites you log into whether they were vulnerable to the flaw or not. Your favorite password is most likely out there for the world to see now, so if even one site has been compromised all your logins have been compromised. You can never use that password again.

Is that a pain? Yes. But that’s how it is.

If you’re going to update your passwords, you should do it right. Here’s how to be more secure and less vulnerable to problems like this in the future:

1. Avoid the most used and most obvious passwords.

The most used password on the Internet — the whole Internet — used to be “password”. As of the end of 2013, it was “123456”. See the most used passwords as of 2013 here — if yours is on this list, I insist you create a new one immediately.

Do not use any personal information: kids’ names, pets’ names, birthdays or anniversaries of yourself or your family members. Never use a word that you can look up in a dictionary.

2. Make every password long.

The longer it is, the harder it is to hack by any method.

One way to create a long password that is still easy to remember is to use nonsense phrases, mixed with numbers and characters.

For example: “light Sto9ne 7 sky”

That’s 17 characters long, uses numbers and letters and other symbols (spaces) and a mix of case. It would take as long for a bad guy to brute-force hack that as to hack the password “Ig-Tam-nOrv-ePt-iA”, but it’s worlds easier for a human to remember. (Here’s more information on how much time passwords take to hack by the various methods. The more time a password takes to hack, the more secure it is.)

Choose words that do not make sense together, and that do not appear in print together anywhere that you know of. That is, using words from quotations is a no-no.

UPDATE: My friend Elizabeth Perry highlighted on Facebook this nice comic by xkcd.com that depicts why a nonsense phrase is a better password in many cases (though you still shouldn’t use the same password multiple places).

Password Strength

From http://xkcd.com/936/

3. Use different passwords for every website you log into.

This is the hardest rule, but it’s critical to your security. As I said above, if you use the same password everywhere, and only one of the sites you log into is compromised, you need to change your password everywhere, immediately. If you use different passwords, you only need to change the compromised one.

How can you keep track of dozens of complicated passwords?

  • Option 1: Write them down on paper. If the hackers are online, then information is more secure offline. You’ll need to keep the paper with your passwords secure, both from damage and from wayward eyes.
  • Option 2: Use a password tool. Two that I’ve used are 1Password and LastPass. Both are excellent and secure. How they work is they help you create complicated passwords when you need one, then they store the login information (username and password) for every website you need. When you need to log into a website, you unlock the password tool in your browser, then click on it to have it input your login information. You don’t need to type any of your complicated passwords; you only need to know the one password to unlock the password tool, and it will save and type your passwords for you. Both 1Password and LastPass also have mobile apps, so you can take your passwords everywhere and use them fluidly on your mobile devices. Both also can do an audit of your passwords, and LastPass has a tool to tell you if a site you log into was affected by Heartbleed.

The Heartbleed vulnerability is the most recently discovered web security flaw, but it won’t be the last. It would be devastating for you to have your personal or financial information stolen online, so take time now to make yourself safer.

Create better passwords today, so you’re not in such a bad spot next time.

Photo credit: “Old keys” by jakeliefer on Flickr