408.732.8500

Heartbleed – Quick To Do List

 

Heartbleed Virus_Quick To Do List

Quick “To-Do” List

Important Update  (4/14/14)  If you get any email, no matter how legitimate it looks, telling you to click on a link and update your password, DO NOT CLICK ON EMAIL LINK. No legitimate company would do this. The only way you should update passwords is to go to your web browser of choice and click in “www.” and the website. Never go from a link.

Note: For those of you who don’t want (or care) to read the details below – change passwords for your most important websites: http://bit.ly/1kY8wIK

1. If you’re not using Last Pass Premium. Get it. Buy It. Use it to generate all passwords and save all passwords. Works on all Computers, all mobile devices. Note: When setting password for Last Pass – go here to check how good your password really is and how easy it can be cracked.


2. Go to this spreadsheet – update all of these passwords – immediately – with different passwords for each: Google Spreadsheet – Copy and paste this link: ​http://bit.ly/1kY8wIK  if “Google Spreadsheet” link didn’t work for you


3. Just to make sure, update banking passwords – even though those were probably not affected.


4. Only use Last Pass to fill in passwords on sites.  (BTW, Roboform and 1Password are awesome, too, we just like LastPass best. No need to switch if using others).


5. Check Mashable’s List of Sites regularly for next 2-3 weeks and see which sites have been patched after you’ve done your spreadsheet mentioned above.

6. Bonus Tip – when going through and changing passwords, you’ll probably be looking at a list of passwords, cancel the accounts you don’t use any more. Here are two great sites for cancelling accounts:  Account Killer & Wiki Cancel

The Heartbleed Security Vulnerability is probably the biggest security issue we’ve seen to date – ever seen. The bug has been around since December 2011. Many programs started using vulnerable software starting in May 2012. So any password you’ve used since December 2011 is vulnerable to this attack. Even if the service that you use (Facebook, Gmail, Pinterest, GoDaddy) put the patch in place, you’re still vulnerable because the evil password stealers out there could be sitting on your passwords waiting to use sometime in the future. This could very well be the reason so many people’s email accounts get hacked.

Who’s affected? Yeah, that would be anyone who uses a Mac, a Windows, A Linux  Computer, an iPhone, an iPad, a Galaxy S-S5, or any other mobile device to access a website on the Internet.

Heartbleed Virus_Android 4.1.1 is affected

Android users who have 4.1.1 are also especially vulnerable (not just passwords on Internet). If you have android phone, dowload and use the “HeartBleed” detector.

So, the vulnerability was widely disclosed last week and many people have scrambled to fix their servers. The following list have guaranteed to have patched their servers already. But, many others could take months to patch their servers. The good news is that most financial institutions appear not to have been affected.

Change Passwords on the following sites – These are the major sites that have been patched, so your changes will stick and you shouldn’t have to “re-change” your password, like you’ll have to do with other companies who patch in the future. If there’s a site you normally  use, check the Mashable site in references below or use the LastPass Heartbleed Test – one site at a time.

  • Facebook
  • Tumblr
  • Google – including Gmail, Wallet, Play
  • Yahoo – including Yahoo Mail
  • GoDaddy
  • Pinterest
  • Intuit
  • Dropbox
  • Minecraft
  • OkCupid

I have compiled a Google Spreadsheet that you can use to keep track on when you changed your passwords. I put a column for the date changed as well. NOT the new password. If you want a copy of this you can print it out, save it,  or copy it into your Google Docs and use it. I’ve listed these in order of importance (my opinion of course).

A note about changing passwords – now’s the time to have NEW PASSWORD FOR EVERY SITE. As almost all of you have either one or two passwords for every site (trust me, after 20 years in the tech business, I know), when your password is compromised on one site, most hackers know this is your password for every site and they’ll try it on all your bank accounts, email accounts and social media accounts.

But, you say, WHAT A PAIN IN THE A**! Well, use a password manager. See our tutorial on changing your passwords and checking strength of passwords.

For Additional Reference
Very through list of sites that have changed and need changing – constantly updated – by Mashable.com
HeartBleed explained in Simple Video
Top 10,0000 worst passwords
Check One Site at a Time – see if it’s been patched – By Lastpass.com

Passwords – You really need to change yours!

First off, let me just say this: Yes, passwords are important. Many of us tell ourselves that they are just formalities, or that you don’t store information online or on a hard drive, but the facts are this: Someone, somewhere, “keeps your record on file.” I’m not saying we should all have less faith in our neighbors, but someone is keeping close tabs on you, and there is no harm in protecting yourself. So change your password. It is the simplest and least expensive identity and privacy protection you can get.

So, now that that diatribe is out of the way, let’s be frank about the actual password. In short, make it a good one. Yup, having your child’s and/or pet’s name as your password, not such a good idea. And don’t even try to keep inquiring minds away with “love” or “god.”

Here are 3  free password strength checkers:
Microsoft Password Checker
Password Strength Checker
How Secure Is MyPassword

And having the same password for all site – phones – computers (computer admin, email, social media, shared accounts, billing and bank services) is not practical or fruitful.

One solution: Password Managers to help keep the login info within reach.

Our 3 Preferred Password Managers: LastPass, Roboform, 1Password. All 3 of these are compatible with Windows, Mac, iPhone, Andorid, iPad. LastPass & Roboform are more versatile in that both support Windows Phones and LastPass supports Blackberry devices. We like LastPass Premium the best of the three. All 3 of these excellent Password Managers will generate and save non-pronounceable passwords for you.


Want to generate your own passwords, but can’t think of easy way to do it?

A few good choices

Strong Password Generator

Password Generator (like this one – you can save a copy of page on your desktop – so it doesn’t access internet when setting passwords)

Note: all Password Managers mentioned above will also generate very secure passwords.

Reference:
Changing Passwords, Setting new passwords
Top 10,0000 worst passwords

PS This is an update of a September 30, 2010 post. Those of you who followed this advice from four years ago then most likely will find it much easier to update passwords using one of the Password Managers I mentioned.

PPS Worst passwords you can use (aka most common) – Top 10

  • 123456
  • password
  • 12345678
  • qwerty
  • abc123
  • 123456789
  • 111111
  • 1234567
  • iloveyou
  • adobe123