HeartBleed Got You Down?

heart bleed

HeartBleed Got You Down?

We have been getting a ton of questions about HeartBleed and how it has affected you. So we have come up with a list of popular web sites and if you need to change your password.

Keep in mind, that hackers most likely do not have your password, but for two years they had the ability to obtain this information without your knowledge. So it is theoretically possible that your passwords may have been compromised.

Please note that changing passwords on a site that is/was vulnerable to Heartbleed is only effective after:

  • The site has been patched to a non-vulnerable version of OpenSSL, or switched to use a different SSL implementation.
  • A new SSL certificate has been issued and applied to the site
  • Old SSL certificates for the site have been revoked
  • All of the above being beyond your control as an end-user, it’s best to just wait for confirmation from the site owner that they’ve fully mitigated the vulnerability

Unique Passwords
It is our suggestion that you have several different passwords at a minimum. The biggest mistake you could make is choosing the same password for everything. If your password gets compromised on one site, someone might try to use it elsewhere.

Instead of trying to keep track of unique passwords for every site, memorize groups of them. Start with five key categories: banking, email, social networking, shopping and, finally, sites you visit very infrequently. Within those categories, you can make each password more unique by tacking on a character or two at the end specific to a site, like AZ for Amazon.com.

If there’s a breach in, say, one of your retail sites, you should immediately change all of the passwords in that group, though this strategy may have bought you a little time.

Simplier Passwords
First get out of the mind set of using your pet or sports team as your password. Second, get out of the mind set of passWORDs and thing passPHRASEs. The most basic trick is mnemonics. For example, choose passwords based around a phrase or random assortment of words you can remember. Or, use the first letter of every word from the phrase as your password. So, “I Left My Heart In San Francisco,” could be “ILMHISF.”

Don’t just stick to phrases and words that are true in your life. You can also remember phrases that are fabrications, like the wrong name for your dog, that criminals are less likely to guess.

Another option is to pick a number of some significance to you (for example a loved one’s birthday, ie 12/08/1970) and then splicing this with a nonsensical phrase (‘shoesplittingwatchwizard’) to get a suitably difficulty password:

Shoe12Splitting08Watch1970Wizard

Password Managers
Finally, some people invest in password manager services and apps, such as LastPass, PasswordBox and 1Password, which keep track of passwords and suggest especially strong ones. We highly recommend LastPass, that is what we use at Simply Web Services and on our personal computers.

Most common passwords
Below are the most commonly used passwords. Is your password on this list?

  • 123456
  • password
  • 12345678
  • Unchanged
  • qwerty
  • abc123
  • 123456789
  • 111111
  • 1234567
  • iloveyou
  • adobe123
  • 123123
  • admin
  • 1234567890
  • letmein
  • photoshop
  • 1234
  • monkey
  • shadow
  • sunshine
  • 12345
  • password1
  • princess
  • azerty
  • trustno1
  • 000000

Top 100 real world passwords (from Adobe.com hack)

Below is a link to the top 100 real world passwords as discovered when Adobe.com was hacked in 2013.

https://web.archive.org/web/20140312214529/http://stricture-group.com/files/adobe-top100.txt

Not sure if you need to change your password?
We have a list of the most popular web sites and if they were affected and if you should change your password on those sites. See that list here.

Here is a link of the top 1000 sites that were affected.
https://github.com/musalbas/heartbleed-masstest

5 Things You Can Do

  1. Change your passwords to everything, including financial and social accounts (make sure they have applied a patch before you change your password)
  2. Don’t log into any site that requires a password using a public wifi
  3. Clear your browsing history and cookies
  4. Try not to opt for “save my password” option
  5. Check your bank statements daily


Beware Heartbleed phishing emails
Websites should let their users know what is happening. They should email everyone and update them about the steps being taken to protect their customers identity, just as online task manager Wunderlist has done.

Unfortunately not all online services and websites are as conscientious as Wunderlist and you may have to contact some services yourself to find out if and when they plan on updating their servers.

This however opens up another can of worms. Criminals will now known people will be expecting to receive emails about Heartbleed and will use this to their advantage to send phishing emails to trick people into downloading malware or visit malicious websites.