On Monday, security researchers found an issue so scary they called it “Heartbleed.” It’s a flaw in an encryption tool used by about two-thirds of Internet servers that could be exploited to leak your login names and passwords.
Check site security before changing your password
It’s not clear exactly which services were impacted, or what passwords may have been compromised. But if you have an account on Yahoo, OKCupid or Github—three popular sites known to have had the vulnerability (and patched it)—you should change your password on them as soon as possible.
Other big Web companies are taking steps to fix the problem. You can check if a service has updated its security by typing in its domain name at https://www.ssllabs.com/ssltest.
If everything’s green, it has probably been fixed and you are clear to change your password. If the site is not in the green, hold off. Changing your password on vulnerable sites would either have no impact, or could potentially expose your new password.
Even without Heartbleed, passwords have never been more vulnerable, and you should change them for important accounts every 90 days.
Here’s what else you need to know today:
Turn on two-factor authentication
Beyond using fresh passwords, it’s now important to adopt an additional defense, available on a growing number of sites, called “two-factor authentication.” (It also goes by “second factor,” “login verification” or by branding such as, in Bank of America’s case, “SafePass.”)
This option, now offered by many email services, banks and social networks, sends you a one-time code (usually via text message) every time you (or anyone else) tries to log into your account. You’ll need to type in that code to access your account.
Use at least five different passwords
The biggest mistake you could make is choosing the same password for everything. If your password gets compromised on one site, someone might try to use it elsewhere.
Instead of trying to keep track of unique passwords for every site, memorize groups of them. Start with five key categories: banking, email, social networking, shopping and, finally, sites you visit very infrequently. Within those categories, you can make each password more unique by tacking on a character or two at the end specific to a site, like AZ for Amazon.com.
If there’s a breach in, say, one of your retail sites, you should immediately change all of the passwords in that group.
Happy Surfing!
No comments:
Post a Comment