Saturday, April 12, 2014

Some Tips On Surviving Heartbleed

With the latest news that a particular bug in OpenSSL has pretty much made everyone's passwords to every registration-based website vulnerable, I felt it was necessary to use my computer-training skills to provide some helpful tips to all.

First off: Don't Panic.  Heartbleed has been out there for two years, so everyone's pretty much f-cked already.  If you're worried about the government or any private corporate entity getting into your emails and personal stuff, it's too late especially since the NSA has been exploiting this bug for all that time, and stressing about it now isn't going to change that.  Those cosplay photos of you hanging out at the Furry Con has already been passed around the NSA and Booz Allen offices and openly mocked.

Second: You're Gonna Need To Change Your Passwords and Security Questions to All Affected Services.  Which means you gotta change every security detail for your Yahoo!, your Google/Gmail, your Windows, your iTunes, your Blogger pages, your Facebook, your MySpace, your Twitter, Flickr, Tumblr, Bumblr, your online banking, Amazon, Barnes&Noble, Costco, Sams Club, Fight Club, Wikipedia, TV Tropes, Transformers Wikia,, that strip club on Dale Mabry that offered a good VIP membership deal...

You'll need to make sure the fix/patch for Heartbleed has been verified before you go changing those passwords though.

Third: Come Up With a Decent Password That's Easy To Remember But Difficult For The NSA To Guess.  This is always hard to explain to library patrons when they come in asking for help creating their first email accounts (yes, it still happens after 20 years of free Hotmail and Yahoo! Mail services.  Not everyone got an email account back in 1998...).

The rules for passwords are pretty simple: letters and numbers and special keystrokes like exclamations, asterisks, parentheses, percent signs, pound signs, and umlat.  Hope that's not too confusing...

Okay, let's make it a little easier.  The letters (a-z) can be lower case OR Upper Case (A-Z) when you create the password: passwords are Case Sensitive.  One or more letters cAn be upPer caSe.

NEVER use a common word out of a dictionary - Esoteric, for example - and especially NEVER use a name associated to yourself - say, Aunt Jessificiantia's middle maiden name Frank.  Hackers use social gathering info through other researched resources and they'll know about Aunt Jessificiantia, oh yeah...

Try not to use numbers that relate to yourself personally, such as: Year of birth, year of high school graduation, year of getting married, year of getting divorced, year of getting hacked by the NSA, etc.  Last four digits of your Social Security is WAY WRONG do not do that (last four of your SSN tends to get used for other things... oops).  A lucky number could work as long as no one else knows how unlucky that lucky number is to you.

The best tricks involve using abbreviations you can remember - nobody's gonna know what WDTSHTM stands for - and then a combination of numbers mixed in.  To make it harder, follow off the last number in the password with another smaller (two or three-character) abbreviation.

Oh, and the password is usually a minimum of 8 characters and a maximum of 14, maybe 16 chars.

A decent password is gonna look like this Wdts7htM601Ga.  Some sites will insist on throwing in a special keystroke character so Wdts7thM6Ga# is a workable variation.

Fourth: Do NOT Use the Same Password for EVERY Site that requires a password.  Yes, it may be simple to remember just the one password, but if someone hacks into your Facebook account they can use the same hack on your online banking records.  Mix 'em up.  You could try variations of a base password - changing numbers and/or abbreviated letters around, using different keystroke characters, etc. - but make the variation hard to guess.  Most sites WILL lock down an account after three failed tries, so don't make the passwords something that's just one character change between each other.

On that note, you can write down the different passwords you're using, but that sheet has GOT to be in a secured location and unavailable for anyone else to look at.  Best tip: don't write the password itself down, but write down a memory clue / hint that will make your remember "oooooooooh that's what my password is".

Fifth: Get the VOTE OUT and vote into office candidates sworn to make the NSA answer for their evil hackery.  Make the candidates swear on a copy of Orwell's 1984 for good measure.

Now.  Don't you feel better?

No comments: