Thursday, April 24, 2014

Password Lessons from Heartbleed

It's been a little over two weeks since the web security bug known as "Heartbleed" was publicly reported (see my earlier post for a description of the bug). For businesses it has meant a lot of scrambling to update servers and to update network intrusion sensors to detect attempts to exploit the bug. Thus far though there have not been widespread reports of data breaches affecting consumers. There was the case of a teenager who was arrested for nabbing 900 social insurance numbers from the Canada Tax Agency (the equivalent of social security numbers and the US IRS) ... note to self: hacking a government agency and then presenting said agency with proof of your hack is not the best way to go about reporting a vulnerability. But I digress...

Time will tell the true effects. Aside from the few businesses that had inside knowledge of this bug before it was announced publicly, everyone was caught by surprise. No matter how quickly businesses responded, for most of the Internet there was a period of time ranging from a few hours to a few days in which normally secure information was accessible to anyone with a desire to look. It is a certainty that some information was stolen. Maybe passwords, maybe bank card information, maybe encryption keys - there's no real way of knowing.

There are however a few things we do know.

First and foremost, there is no such thing as 100% perfect security. No matter how much effort we put into protecting ourselves, there will always be a way a determined attacker can get around our protections. Thankfully though, most of us don't have determined adversaries after us. Rather than focus on "perfect security," it is more practical to focus on "good enough security" - where the level of security matches that value of what we are protecting. That's the space I tend to write about.

Second, Heartbleed reinforces the need to use different passwords for different web sites (at least those we care about). There is a pretty good chance some passwords were captured from some high-profile web sites before the bug was fixed (we know for a fact many Yahoo! passwords were discovered). There are a myriad less wide-spread (and less-publicized) incidents each year in which passwords are discovered. Having one password discovered can be a pain in the rear. If that same password is used everywhere though, that pain in the rear can turn into a royal nightmare.

Remembering unique and strong passwords for dozens if not hundreds of web sites is an exercise in futility. Remembering one good password though is reasonable. That is where password manager programs come in. These programs remember passwords so you don't have to - and most will also generate strong random passwords, eliminating our human tendency to select things that might be discovered.

Here are a few of the better-known and reputable password managers to choose from. There are many other options, just keep in mind that a fake password manager could be a bad guy's gold mine.

  • LastPass - My personal favorite, the free version automatically knows when you log into a new web site and offers to store the username and password; it also detects when you change a password and asks if you want to update your vault (the asking part is important, because it also can handle multiple logins for a single site ... useful if you have separate GMail accounts for personal and professional use, for example). It can optionally also store credit cards for easy entry into web sites (a better solution than allowing web sites to store your credit card info). The free version will synchronize between multiple computers and browsers. The premium version, at $12 per year adds support for mobile devices - a huge convenience at minimal cost.
  • 1Password - Similar capabilities as LastPass, but at $50 for a Windows single user license or $70 for a family license, there are better options. The Android app is a free add-on (but works in conjunction with the PC app - it does not function on its own). The IOS app is an $8.99 add-on, and again is useless without also buying the PC or Mac edition.
  • KeePass - Fully free, open source (meaning you can tinker with the source code if you are so inclined), lots of opportunity to customize it to the way you work. It also can generate and store long hexadecimal keys, such as might be used for wireless LANs - something none of the others can do. On the downside, it does not automatically memorize new passwords.
  • F-Secure Key - A new entrant into the password manager space, but an established player in computer security in general. The single-device product is free, but to synchronize between multiple computers, or between a computer and a mobile device, you must upgrade to the premium version ($16 per year).
  • Dashlane - another relative newcomer,but with a couple of enticing features. Dashlane offers a "dashboard" that shows at a glance which accounts might benefit from a change. It also is the only password manager I know of that alerts you to accounts at businesses that have been the subject of a data breach (in other words, businesses where you need to change your password right away).


Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen