If you use the Internet, chances are you have at least one online account that has a password: Your email account.
If you have never created an online password (and no-one has ever set up an account for you), you can skip this. If you have any online passwords, you need to know about the Heartbleed security flaw and what you should do to protect yourself.
What Is the Heartbleed Bug?
You’ve probably been hearing the name on the news or on Facebook; maybe you’ve seen the bleeding heart graphic. If you’ve been wondering whether this is just another alarmist way to het you hooked into a 24-hour TV cycle, here’s the scoop.
The Heartbleed threat is real.
Some two-thirds of the world’s websites, including some of the biggest, use a special service called OpenSSL to scramble or “encrypt” the information you input so that it can’t be read. In the past week researchers noticed a flaw in the Open SSL code that allows hackers to easily access all the data a website stores – a leaky hole in the encryption process. The researchers believe the flaw has been in existence for a couple of years, but nobody knew it existed before now (although some pople wondered if the NSA knew). Now the flaw has been made public, it’s open season for hackers.
So, every piece of information you’ve given to a website that uses Open SSL is vulnerable. It might include credit card information and other personal details; it might just be an email address. If you use the same email address on multiple sites, hackers can use it to access your info on all of them.
What Types of Site Are Affected?
On the web
Any type of website might be using Open SSL. Here are just a few examples of affected sites where you might have created an account:
- OK Cupid and other dating sites
Many other dating, social networking, retailer and other sites are vulnerable. Most bank sites have not been affected.
On mobile devices
Android: Phones and tablets running Android 4.1.1 are the only ones vulnerable. See below for what to do.
iPhone/iPad: Apple says iOS systems are not affected.
What You Need To Do
To protect your information, you’ll need to change your password on all sites that were affected by the Heartbleed bug. You should also change your password on any sites where you used the same password as one that you used on an affected site.
For example, you used the password 12345 on Yahoo.com (which is affected by Heartbleed) and also Amazon (which was not). You need to change your password on both sites.
Because every website is like a leaky bucket of data until it’s fixed the problem, or “patched” it, you should wait until it’s done so before changing your password on it. Otherwise, you’ll have to do it all over again when the site has been patched.
Here’s a step-by-step for websites
- Make a list for yourself of all the sites where you’ve created a password.
- Find out which of these websites has been affected by Heartbleed. You can do so in two ways: consult the list of affected sites on Mashable.com – it is being constantly updated; click here to access the Mashable list. If a site you use is not listed on Mashable, enter it into the Heartbleed search on LastPass.com; click here to access the LastPass search. Both these resources will tell you whether an affected site has been patched or not.
- Make notes on the list that you made in Step 1 to indicate which of your sites are affected and patched, and which are affected and not patched yet. (Most big sites have been patched by now.)
- Both Mashable and LastPass are uncertain about the status of some sites. If you have an account on any “may be unsafe” site, click through to the site to see if there’s a message about Heartbleed on its homepage; then update your list to reflect any additional unsafe sites.
- Change your password on every site that on your list that is affected and has been patched. Once you’ve changed the password for a site, cross it off your list.
- Set yourself a calendar reminder to check back in a few days on the status of sites that haven’t been patched yet. Once they’re patched, reset the passwords on these, too.
- Check the list you made in Step 1 to see if you used the same password on any unaffected site as you did on any affected site. if you did, change these passwords too.
How to stay safe on Android devices
If you are running Android 4.1.1, you can download the Bluebox Heartbleed Scanner app from Google Play. The app will tell you which version of Open SSL your device is running and whether it’s affected, as well as if your apps are affected.
If your system is affected, check for system updates by going to Settings > About > System Update. Update the system as soon as one becomes available.
For each app that is affected, log out, wait a few minutes and log back in again. According to Business News Daily, this will protect you until the app is updated; update the app as soon as that becomes available.
Quick Tips for Resetting Your Passwords
- Don’t use the same password you used before, even if you used it on a different website!
- To see our tips for creating and remembering strong passwords, click here
- Say yes to 2-step verification, which is available on many sites. Click here to read more on Senior Planet.
- If you’ve run out of good password ideas, have a hard time remembering them or want to create really secure passwords that are much harder to hack, try using a password manager to create and remember passwords for you. Read our Tech Tip.
Want to know more about Heartbleed and how it happened? Read Mashable’s clear explanation in Your Heartbleed Bug Questions Answered