How to Protect Yourself
From Heartbleed
Security Flaw
Larry Magid
Co-director
ConnectSafely.org
April 11, 2014
Don’t panic
• It’s a serious problem but it’s not the end of the Internet as
we know it
• Flaw has been around for two yea...
See if the sites you visit are vulnerable
• Check to see if sites you visit are now vulnerable*, using:
• Lastpass Heartbl...
Change passwords once you know
your site is not vulnerable
• After confirming that a site is not vulnerable, change the
pa...
Monitor your accounts & watch for
phishing
• Check your accounts
• Check your email, bank, social media and other accounts...
Change your passwords once you
know the site isn’t vulnerable
• Change your passwords after you know that the site isn't v...
Passwords should be:
• At least 8 characters long
• Contain at least one number
• Contain at least one capital letter
• Co...
Think of a phrase you can remember
Come up with a phrase and use a character from each word. Use
capitals where appropriat...
An easy way to make each password
unique
• Add a letter or two to the password based on the name of the site
you’re loggin...
Change your passwords if & when:
• There has been any type of security breach on the site or your system
• You have lost a...
Consider 2-factor authentication
• A growing number of sites allow you to use two-factor
authentication: Something you kno...
Be wary of tricks to get your password
Avoid phishing: Never enter a password based on a link in an email
unless you’re ab...
Consider using a password manager
• Password managers store and enter passwords for you. You can
create really strong pass...
Use a very strong password for:
• Email
• Many sites will send your password to your email address so it’s important
that ...
Never share your passwords
Sharing a password is not a sign of being a good friend. Even if you
really trust that person:
...
For more on strong passwords:
passwords.connectsafely.org
Larry Magid
Co-director
ConnectSafely.org
larry@ConnectSafely.org
Upcoming SlideShare
Loading in …5
×

How to Protect Yourself From Heartbleed Security Flaw

20,247 views
20,043 views

Published on

Some updates and advise on how to protect yourself from the Heartbleed flaw including when and

Published in: Internet, Technology

How to Protect Yourself From Heartbleed Security Flaw

  1. 1. How to Protect Yourself From Heartbleed Security Flaw Larry Magid Co-director ConnectSafely.org April 11, 2014
  2. 2. Don’t panic • It’s a serious problem but it’s not the end of the Internet as we know it • Flaw has been around for two years • So far (as of 4/11/14) there are no reports of the flaw being exploited • Hardware could be vulnerable but not clear if consumer routers are at risk
  3. 3. See if the sites you visit are vulnerable • Check to see if sites you visit are now vulnerable*, using: • Lastpass Heartbleed checker • Filippo Valsorda's Hearbleed test • Qualys SSL Labs • Also check CNET’s list of top 100 sites * The fact that a site is now vulnerable doesn’t mean it wasn’t in the past
  4. 4. Change passwords once you know your site is not vulnerable • After confirming that a site is not vulnerable, change the password • Actually you should do this regularly – at least every few months • Keep reading for advice on how to change your passwords
  5. 5. Monitor your accounts & watch for phishing • Check your accounts • Check your email, bank, social media and other accounts to make sure there is no irregular or suspicious activity or unauthorized purchases • Beware of “phishing attacks” • You might get email that appears to be from banks and other sites, "disclosing" that the site was vulnerable and asking users to reset their passwords. These could be phishing attacks designed to trick you into revealing your log-on credentials to thieves. And some of these attacks are very sophisticated, taking you to sites that look identical to a company's real site
  6. 6. Change your passwords once you know the site isn’t vulnerable • Change your passwords after you know that the site isn't vulnerable • If you change them on currently vulnerable sites you’ll have to do it again with another unique password Read on for password suggestions
  7. 7. Passwords should be: • At least 8 characters long • Contain at least one number • Contain at least one capital letter • Contain at least one symbol (like #, %, &) • Not be a real word, name or anything that would be relatively easy to guess Go to next slide for suggestions
  8. 8. Think of a phrase you can remember Come up with a phrase and use a character from each word. Use capitals where appropriate Example “I met Susan Morris at Lincoln High School in 1991” The password could be: ImSMaLHSi#91
  9. 9. An easy way to make each password unique • Add a letter or two to the password based on the name of the site you’re logging into. For example: • Amazon: aImSMaLHSi#91z (added an A to beginning and a z to end) • Google: gImSMaLHSi#91 • Twitter: tImSMaLHSi#91r
  10. 10. Change your passwords if & when: • There has been any type of security breach on the site or your system • You have lost a device that has the password stored • Someone else gets hold of your password • And even if none of this happens, change your passwords every few months
  11. 11. Consider 2-factor authentication • A growing number of sites allow you to use two-factor authentication: Something you know & something you have. • Typically, the site will send a code to your phone that you type in along with your username and password. Anyone trying to access your site without your phone is out of luck. • Some sites (like Google) only require it if you’re on a new device. Others require it each time. • Downsides are it’s a little inconvenient and a hassle if you don’t have your phone • Upside: It’s a lot more secure (but not 100% secure)
  12. 12. Be wary of tricks to get your password Avoid phishing: Never enter a password based on a link in an email unless you’re absolutely sure it’s legitimate. It’s safer to type in the web address of your bank or other company rather than clicking on a link. Don’t give out password over phone: Be skeptical if you get a call from a service you use or your company’s network support department asking for a password. Tell them you’ll call them back and find out if it’s legitimate.
  13. 13. Consider using a password manager • Password managers store and enter passwords for you. You can create really strong passwords (or let them generate random ones) and all you need to remember is the password manager’s password • Examples: Lastpass Roboform Kaspersky Password Manager DataVault Password Manager (iPhone) mSecure Password Manger (Android)
  14. 14. Use a very strong password for: • Email • Many sites will send your password to your email address so it’s important that it be very secure • Social network sites • Your reputation can be affected if someone posts negative and abusive material in your name • Banking • Pretty much goes without saying that you want a strong lock on your bank account • E-commerce sites • Don’t let anyone go on a shopping spree with your money
  15. 15. Never share your passwords Sharing a password is not a sign of being a good friend. Even if you really trust that person: • A friend can become an ex-friend • Your friend might not be as careful as you are • Your friend might use the password on a machine that’s not all that secure • Possible exceptions are kids sharing with parents or spouses sharing with each other
  16. 16. For more on strong passwords: passwords.connectsafely.org Larry Magid Co-director ConnectSafely.org larry@ConnectSafely.org

×