A bug named Heartbleed, which has ramifications likely to affect every user on the Internet, was recently discovered by security researchers and announced this week.
Heartbleed is a vulnerability within the OpenSSL technology that is used by many websites and online services to encrypt and keep user data secure. The technology is estimated to be used in about two out of three servers on the public Internet.
The bug makes it possible for hackers to easily steal a service’s encryption keys, which then allows them to steal other information, including user passwords and much more. In all likelihood, your favorite social network, your bank, your email provider or some other website you frequent uses OpenSSL -- if they don’t all do.
Fortunately, the bug was not disclosed until a fix was created for it, but now all these service providers need to adopt the fix before they can be secure from hackers.
So what can users do to keep themselves safe?
Security researchers recommend that users change the passwords to all of their services, especially the passwords for their online banking accounts, email providers and other services that deal with sensitive information.
But it is best to wait a day or two before beginning to change passwords. This will give websites and other services time to adopt the fix and secure their data. A new password for a service that hasn’t yet installed the Heartbleed fix can just as easily be stolen as an old password.
After waiting some time, users should use passwords that are hard to crack. Below are a few tips for creating good passwords:
- Use passwords that are at least eight characters long, such as “ILoveMyCat.”
- Do not use words in the dictionary. So rather than using “ILoveMyCat,” use “ILuvMyCaat.”
- Use a mix of capitalized and lower-cased letters. So instead of “ILuvMyCaat,” use “iILuvmyYcAaT.”
- Use numbers, and replace letters with numbers. So instead of “iILuvmyYcAaT,” use “i1LuvmyYcA4T9.”
- If possible, use symbols too. So instead of “i1LuvmyYcA4T9,” use “i1<3myYcA4+9.”
- Use different passwords for different services. Your Netflix password and your bank account password should not be the same.
Besides changing passwords, some security experts also recommend that users hold off a few days before visiting websites that hold sensitive information, such as their banking accounts.
The Heartbleed bug may have made it possible for hackers to steal data and create “spoof” websites that could be used to trick users into giving up even more data. Waiting a few days for this mess to clear up is the safest bet.