
HeartBleed Got You Down?
We have been getting a ton of questions about Heartbleed and how it has affected you. So we have come up with a list of popular websites in case you need to change your password.
Keep in mind that hackers most likely do not have your password, but for two years, they were able to obtain this information without your knowledge. So it is theoretically possible that your passwords may have been compromised.
Please note that changing passwords on a site that is/was vulnerable to Heartbleed is only effective after:
- The site has been patched to a non-vulnerable version of OpenSSL or switched to use a different SSL implementation.
- A new SSL certificate has been issued and applied to the site
- Old SSL certificates for the site have been revoked
- All of the above being beyond your control as an end-user, it’s best to just wait for confirmation from the site owner that they’ve fully mitigated the vulnerability
Unique Passwords
We suggest that you have at least several different passwords. The biggest mistake you could make is choosing the same password for everything. If your password gets compromised on one site, someone might try to use it elsewhere.
Instead of trying to keep track of unique passwords for every site, memorize groups of them. Start with five key categories: banking, email, social networking, shopping, and, finally, sites you visit very infrequently. Within those categories, you can make each password more unique by tacking on a character or two at the end, specific to a site, like AZ for Amazon.com.
If there’s a breach in, say, one of your retail sites, you should immediately change all of the passwords in that group, though this strategy may have bought you a little time.
Simplier Passwords
First, get out of the mindset of using your pet or sports team as your password. Second, get out of the mindset of passWORDs and think phrases. The most basic trick is mnemonics. For example, choose passwords based on a phrase or a random assortment of words you can remember. Or, use the first letter of every word from the phrase as your password. So, “I Left My Heart In San Francisco,” could be “ILMHISF.”
Don’t just stick to phrases and words that are true in your life. You can also remember phrases that are fabrications, like the wrong name for your dog, that criminals are less likely to guess.
Another option is to pick a number of some significance to you (for example, a loved one’s birthday, ie 12/08/1970) and then splicing this with a nonsensical phrase (‘shoesplittingwatchwizard’) to get a suitably difficult password:
Shoe12Splitting08Watch1970Wizard
Password Managers
Finally, some people invest in password manager services and apps, such as LastPass, PasswordBox and 1Password, which keep track of passwords and suggest especially strong ones. We highly recommend LastPass; that is what we use at Simply Web Services and on our personal computers.
Most common passwords
Below are the most commonly used passwords. Is your password on this list?
- 123456
- password
- 12345678
- Unchanged
- qwerty
- abc123
- 123456789
- 111111
- 1234567
- iloveyou
- adobe123
- 123123
- admin
- 1234567890
- letmein
- photoshop
- 1234
- monkey
- shadow
- sunshine
- 12345
- password1
- princess
- azerty
- trustno1
- 000000
Top 100 real-world passwords (from Adobe.com hack)
Below is a link to the top 100 real-world passwords discovered during the 2013 Adobe.com hack.
https://web.archive.org/web/20140312214529/http://stricture-group.com/files/adobe-top100.txt
Not sure if you need to change your password?
We have a list of the most popular websites and whether they were affected, and whether you should change your password on those sites. See that list here.
Here is a link to the top 1,000 sites affected.
https://github.com/musalbas/heartbleed-masstest
5 Things You Can Do
- Change your passwords to everything, including financial and social accounts (make sure they have applied a patch before you change your password)
- Don’t log into any site that requires a password using a public wifi
- Clear your browsing history and cookies
- Try not to opt for the “save my password” option
- Check your bank statements daily
Beware Heartbleed phishing emails
Websites should let their users know what is happening. They should email everyone to update them on the steps being taken to protect their customers’ identities, just as the online task manager Wunderlist has done.
Unfortunately, not all online services and websites are as conscientious as Wunderlist, and you may have to contact some services yourself to find out whether and when they plan to update their servers.
This, however, opens up another can of worms. Criminals will now know that people will be expecting emails about Heartbleed and will use this to their advantage by sending phishing emails that trick people into downloading malware or visiting malicious websites.