Friday, April 18, 2014

Change All Your Internet Passwords

The taxes are in and Friday is here, but it is not time to drink a toast to getting back to normal. That’s because if you drink, you are likely to have extra trouble remembering all your new Internet passwords.

Well, you are changing your passwords, aren’t you? The headlines on Heartbleed may have died down, but the need to change your Internet passwords — all of them — is no laughing matter. The flaw in OpenSSL software put the communication between you and most secure web servers at risk for a period of time. Unlike other Internet security flaws, this one was not focused at a particular place, so exploits, when criminals use the flaw to gain access to data, are not necessarily possible to detect. Along with other data, your passwords could have been accessed. This means you don’t know who has your passwords, but you can fix that by choosing new passwords.

I know I said you should change all your passwords, but that is a slight exaggeration. There is an exception, but if you want to be cautious, the exception is not much. If you are sure you did not log into a site between 2012 and now, or the site tells you it was not affected by the Heartbleed flaw, you may not need to change your password there. However, this exception applies only if you did not use the same password, or a password that is partly the same, at any other site. And, this exception does not apply if the password was ever emailed to you in an email account that was affected by the flaw. As I said, it’s not a very big exception. If there are accounts that you have effectively abandoned, you might choose to delete them at this point (or delete your more sensitive information from the account). That doesn’t save you any work, but it is something to consider along the way.

I know, changing all your passwords is a lot to ask. I personally have 200 accounts with passwords to change. I memorized almost half of them, and now I will be changing them all in a matter of days. My chance of memorizing dozens of new passwords quickly is in the don’t even try category. I will have to write them down. And, I will have to be systematic about changing them.

Being systematic starts with choosing good passwords. Even on sites that don’t enforce rules for password quality, a password should not be a single word that could be found in a dictionary. Most of all, don’t use any word that can be found on your Internet profile as a password. Of course, don’t reuse any of your old passwords — you know, the ones that might be posted on a message board somewhere by now?

Changing passwords might be the most tedious task you can think of, but it still has to be done well, so don’t rush through it. Making mistakes when setting passwords is a security flaw of its own. Realistically, you probably won’t change all your passwords in two or three days, so start with affected email accounts and banks. Go on from there to retail sites that have your banking account numbers. Keep track of which passwords you still need to change. And for your own safety, don’t drink and password, even if it is Friday.