Heartbleed fallout: It’s time to change most passwords
The big question is which passwords to change. Mashable has put together of major services, like Facebook and Tumblr, noting whether they were affected and if a fix is in place.
Special to The Seattle Times
I suppose it’s fitting that the most serious security issue facing Apple customers right now also has a great logo.
You’ve probably heard about the Heartbleed vulnerability and seen its iconic logo: a simple red outline in the shape of a heart with a few drips running down (). The problem was a small bit of incorrect code in OpenSSL, a widely used framework for encrypting online communications, potentially exposing information we thought was secure. How does it affect Mac and iOS users?
The tiny bit of good news is that Apple’s operating systems weren’t affected by Heartbleed (although Apple uses OpenSSL, it employs an older version that doesn’t include the bad code). The large bit of bad news is that you do need to change most of your online passwords.
But which ones? If you change the password for a service that has not yet implemented a fix, attackers could still get your new password. (Most sites should have patched their systems by now, but I’m realistic enough to assume that’s probably not the case.)
Mashable has put together a good list of major services, like Facebook and Tumblr, noting whether they were affected and if a fix is in place.
Of course, if you’re like me, you have hundreds of passwords. At least, you should by now. The days of using a single password across multiple sites are long gone.
And the best way to manage them all is using dedicated software such as 1Password () or LastPass ().
1Password for Mac costs $49.99 for a single license or $69.99 for a 5-user family license, and 1Password for iOS costs $17.99 (although all prices are 50 percent off through April 27). LastPass is available in a free version or a premium version that costs $12 per year.
Both companies responded to Heartbleed with ways to check whether sites you use are vulnerable. The 1Password Watchtower () and the LastPass Heartbleed Checker () checks any site address you enter and reports on the Heartbleed patch status.
I use 1Password, which was updated this week for both OS X and iOS. Heartbleed prompted me to take advantage of the software’s Security Audit feature in the OS X version.
Since the app knows all the passwords and other private numbers (like software licenses, encrypted notes, and the like) you’ve entered, the Security Audit identifies weak passwords, sites with duplicate passwords, and passwords that are 6 to 12 months old, 1 to 3 years old, and more than 3 years old.
I have 663 items in my 1Password vault, and even though I thought I was doing well in updating passwords in general, I was embarrassed to see how many sites list a single, older password I used.
Many of those are defunct sites or ones I haven’t visited in years, but a few were ones that I hadn’t realized were using the old password.
Another welcome feature I’ve started taking advantage of is shared vaults.
My wife and I both use 1Password, but there’s overlap for some of the websites we share, such as a joint bank account, credit card, Netflix and a couple of personal blog sites. Updating those passwords causes our data to get out of sync in our respective 1Password vaults.
So I set up a shared vault that syncs with all of our devices via Dropbox. I didn’t have to re-enter information, which would immediately kill such an endeavor. Any item can be shared via email, text message, AirDrop (Apple’s technology for transferring documents between devices), and between vaults.
Also, not to be morbid, but I also included my 1Password master password in our shared vault so that if I were to unexpectedly die, my wife would be able to access all of my accounts.
It’s unfortunate that in this regard, we all have to become technical just to interact with companies and services online, and that the interaction is a prime target for attackers. Having dedicated tools like 1Password and LastPass definitely help to not only keep us secure but also organized, too.
Jeff Carlson writes the Practical Mac column for Personal Technology and about technology in general for The Seattle Times and other publications. Send questions to firstname.lastname@example.org. More Practical Mac columns at www.seattletimes.com/columnists
About Practical Mac | Jeff Carlson
Mac owners, this is for you. Practical Mac explores Apple's new software offerings, hardware upgrades and more. Appears every other Saturday.