Surely you have heard of the Internet security threat Heartbleed by now. But the explanations seem a bit complicated and advice to change all of your passwords yet again seems so “been there, done that.”
This is a serious matter. The short explanation is that Heartbleed is not something that infects your computer, but a flaw in the security setup of the websites you visit that could allow wrongdoers to steal some of your personal information when you visit the site. Essentially websites where the address began with https:// were thought to be secure as opposed to the plain http:// address. Then, literally because of a typo by a programmer, that was not so sure. This might not be a big problem if you are reading an online newspaper, but is a big deal if you are shopping online with your bank card or have given the site your personal information. The good news is that there is a patch the websites can apply to fix the problem and most major websites have done so. The bad news is some sites have been slower to implement the change than others and changing your password before the site has updated does not solve the problem. There are a number of sites that allow you to check whether a site is still vulnerable. I am directing our members to the LastPass Heartbleed Checker.
My colleague Laura Calloway did a very nice blog post How To Handle Heartbleed that is highly recommended reading. She notes “[m]ajor sites that were affected include Google and Gmail, Yahoo and Yahoo Mail, Dropbox, Box, Instagram, Pinterest, Tumblr, Etsy, Flickr, Minecraft, Netflix, SoundCloud and YouTube.” She also directs us to Mashable’s comprehensive list of affected sites.
Merely changing your password from “Password 1” to “Password32” or from your dog’s name to your cat’s name is not the long term solution. Today you need to be using a password manager tool that will generate and remember long, random passwords. But it is also time to strongly consider using two factor authentication for sites handling sensitive information. I wrote about both of these topics in the August 2012 Oklahoma Bar Journal. It you have not yet taken those steps, maybe you should read that article, E-mail Issues for Lawyers Today.
Two factor authentication will be painful for all of us. Essentially the future for most of us is you will log into a website by copying and pasting your password from your password manager. Then the system will text a number to your phone that you also have to enter to complete your login. Leaving your phone at home or losing it will be even more of a problem than it already is and preserving very carefully the instructions for how to log in when your phone is missing will be critical.
But we have seen this time coming for a while. It is time. Here are some other articles to read if you still need some more convincing.
Inc. Heartbleed Proves the Password Is Dead. This Is What You Need Now
Lawyerist Passwords: a User Guide for Lawyers and Law Firms
ABA Legal Technology Resource Center Lessons from Heartbleed