The recent heartbleed fiasco has really underscored the importance of smart online identity security. Here’s a couple quick tips to help make sure you’ve reduced the risk of heartbleed as well as future identity security.
Change Your Passwords Often
Many businesses require you to change your work password every 60-90 days, and while we complain about it every time it comes around, we all comply (we have to). But at home, many of us (myself included) use the same password for years. The first big step to protecting yourself from a compromised online identity is to make sure you change those passwords frequently.
Be Smart About Your Passwords
Technical people like to tell you to use “secure” or “strong” passwords, but really what we mean is that your password should be complicated. Something like “P@ssw0rd!” is much more complex than “Password”. That said, the best password is randomly generated. Now you may be saying, “Great. Random passwords are secure but completely unusable.” If you’re on your phone logging into a service and you have to type in “~!sdflkjw932kjs*” that’s certainly not very convenient.
Convenience is relative though, isn’t it? What’s less convenient—taking a few extra seconds to get a password, or cleaning up the damage from a compromised online banking password? And let’s be honest with ourselves—that Facebook service that’s now in the background of absolutely everything, can do some real damage if your password gets compromised. I’d argue that you should protect Facebook to the same levels you protect your banking passwords—especially now that you can “Login with Facebook” on so many other sites and services.
Get yourself a tool like KeePass. Not only is it super simple to use, but it’ll generate random passwords for you, it’ll automatically type them into the browser for you, and there’s versions available for every phone platform too. The other cool thing about KeePass is that it encrypts the password database it uses, so you can store that KeePass file just about anywhere. Don’t rely on it just being on one computer—what if that computer crashes or your house catches fire? Consider backing up a copy of your KeePass file to OneDrive, Amazon AWS, or another cloud backup provider.
You also need to be smart about your password selection. Many less-techy folks simply alternate between a list of standard passwords that they use over and over. How many of you go to work with “Password1”, then when IT tells you to change your password you make it “Password2”. Don’t do that! Patterns like that make your passwords far more easily cracked.
Using Two Factor Authentication
Most of your critical services (banking, Facebook, etc.) support Two Factor Authentication, and if you're not using it you're just plain crazy. I'd go as far as to say anytime you have a chance to use Two Factor Authentication, you should be. This process essentially forces an extra step of validation when you try to log in. There's two main flavors: sending a text message with a verification code, and using an app on your phone to enter a randomly generated code. The first is pretty straight forward. If you're logging into Facebook as an example, you'll enter your username and password, then Facebook will prompt you to enter a unique code that they send to you via a text message. This process basically eliminates the risk of someone getting into your account if they only have your password. The latter process, using an app on your phone to generate that random number, is gaining popularity since it doesn't require you to consume text messages or wait for the delivery of that message. You will install an application on your phone that will be synced with the service, much like those little RSA security tokens we used to carry around to VPN to the office. Most services support one or the other, not both, just look for a menu or an option to enable Two Factor Authentication and follow the steps they give you. Next to smart password management, this is the next best way to protect yourself. If a service offers it, you should be using it.
Look for browser security assurance everywhere you go. This tells you that the site is secure and protected by an SSL security infrastructure. Now, the unique thing about Heartbleed is that it in essence compromises the entire SSL infrastructure, but we won’t go into those details. Back in the day (I say that like it was more than a few years ago), you were told to look for a “padlock” or a “key” in the browser to indicate the website you’re on is secure. Modern browsers take it a step further and in some cases turn the entire address bar green. I’d go out on a limb and say you should never, ever, put any banking or credit card information into a website that doesn’t have a green address bar.
Go download KeePass for your computer and your phone, and familiarize yourself with it.
Change your passwords ASAP—especially if any of your websites are on the list of affected Heartbleed sites.
Discipline yourself to actually change your password frequently.
Remember that while Heartbleed has brought visibility to this, this isn't a one time thing where you just fix the current threat. As everything moves to the cloud and becomes reliant services like Facebook, Google, Microsoft, etc. you need a strong identity management strategy.