For those of you worried about the new Heartbleed bug, Games and Tech Editor Josh Creek tells you all you need to know about it, and how to prevent your passwords being hacked.
My heart bleeds (*ahem*) for everyone panicking about the Heartbleed bug. For most people there’s no risk at all but there are sensible precautions we can all take to ensure our passwords are safe and harder to crack.
Firstly, what is the Heartbleed bug? The encryption used for communications between your computer and a web server (the computers powering all those lovely websites we use every day on the interwebs) is done by a bit of software called OpenSSL. It’s basically like a bouncer at a club, allowing those with the right IDs in to have a private meeting. Around two-thirds of all websites use OpenSSL so whenever you see the little green padlock in the address bar of your browser you’re probably using it.
The bug essentially allows anyone to steal those IDs and get into the club (if we continue the metaphor) so as to overhear usernames and passwords as well as other content. This means hackers can steal data and impersonate users and even the websites themselves.
If you want to know more about Heartbleed, particularly the technical details, there’s a dedicated website with futher information.
Don’t rush to change all your passwords yet though! Firstly, not all websites have been affected so many users are safe. Secondly, and more importantly, you should wait a while before changing any passwords. Despite the advice being handed out by media sources such as the BBC, if a website has been compromised, changing your password is most likely to simply make your account more of a target and provide the hackers with your old password and your new one. Many websites are yet to be protected against the bug so changing your password is futile and again will make your account more of a target.
If you want to read more about this then there’s an excellent article available here.
Once you are ready to change your password though don’t fall into the trap of trying to make a really complicated password. It’s hard for you to remember and easy to crack. Instead use a nonsensical passPHRASE. To understand this a bit better take a look at the following graphic from xkcd.com:
Passphrases are a really easy way to make your online accounts more secure. As the graphic shows, using one makes your accounts exponentially harder for a hacker to crack. It’s actually rather too easy to learn how to hack people’s passwords. There’s a piece of freely downloadable software called Brutus which, on hardware from 1995, can make over 30,000 password guesses per minute. That seems like a lot but actually it’s one of the slowest pieces of software available for hacking. Anyone who wants to hack an account can so you should make it as hard as possible for them.
Many websites have now implemented systems to make it harder for hackers to gain access to your account. Student Finance, for example, requires you to enter your Customer Reference Number (CRN – essentially a numeric username) and password correctly before then prompting you to provide three random characters from a ‘secret answer’ you’d provided when signing up. This means, even if a hacker has your CRN, two different passwords need to be cracked: your actual password and your secret answer. This effectively doubles the amount of time it takes to hack your account but it can still be done.
Other websites, such as Google and Dropbox, have now implemented Two-Step Authentication. This is essentially where, as well as having to correctly enter your username and password, you must provide a randomly generated code from your mobile phone. This means that, even if a hacker manages to crack your password, they can’t access your account without being in possession of (having stolen) your phone.
There are other security systems in the works for the next decade or two such as retina and fingerprint scanners being installed in most computing systems – the iPhone 5S is a pioneer in this field – but for now the most effective thing you can do to make your online accounts more hack-proof is to trade-in your passwords for shiny new passphrases and, of course, to not use the same password across multiple websites.
Josh Creek, Games and Tech Editorbookmark me