Your passwords and other personal information may have been stolen from any website affected by the Heartbleed vulnerability, these steps will help you minimise your current risk and setup a system to manage the security of your digital life online.
1. Set up two factor authentication
Setting up two-factor authentication means when you log into an account on a device you haven’t used before, you have to provide both your password and something else—a second form of authentication.
The implementation of the second verification step usually requires a mobile phone, it is simply a numeric code of a few digits that's sent by SMS to your phone, which is time limited and can only be used once.
The minor inconvenience of having to enter an extra code when setting up a new device or perhaps a new banking transaction is well worth the security of knowing that even if someone somehow gets both your username and password, this information is useless without your mobile phone too.
Each site that offers two-factor authentication has their own way of enabling it, you’ll usually find it in the settings or account screens, and it’s never that hard to find. A definitive list of major sites that do and don’t offer it is here, with links to the instruction pages for sites that do offer the service.
A quick (but not exhaustive) of where you should enable two factor authentication right now is Google/Gmail, Apple, Facebook, Twitter, Dropbox, Evernote, Paypal, Microsoft Accounts and Office 365, Linked In, LastPass.
2. Use a password manager
If you don’t use a password manager already, it’s a really good time to think about using one. Whilst using one wouldn’t have defended your individual passwords against Heartbleed it certainly makes the cleanup process easier.
If you have reused the same password on multiple sites you’ll need to change that password everywhere - in case one of those sites was vulnerable.
It is really important to use unique, long, secure passwords on each and every website you use so if your password is stolen on one site, it will not impact other sites. Your passwords should always consist of a combination of numbers, special characters, upper- and lower-case characters, and be at least eight characters long. It is impractical to remember complex passwords for each of the online accounts you have, and even if you could, you should also change your passwords on a regular basis. Once every few months is a good general rule, especially for critical accounts.
So what is a password manager? Programs like RoboForm, LastPass, 1Password and Sticky Password perform a few tasks to take the pain out of remembering and managing all of your unique passwords. They can generate complex passwords that are hard to crack, automatically fill in those passwords at all the web services you use so you don't have to remember or write them down, and they maintain a list of all your password-protected websites. Some also offer family password management, or offer a way of sharing logon details securely without insecurely exposing a password via e-mail, phone or instant messaging perhaps.
When choosing a password manager it is important to bear in mind the complete functionality that you need. If you run your own business you may need Enterprise functionality options so you can implement a meaningful password management policy. As we’re increasingly browsing the web and accessing apps on our smartphones or tablets, you may also want to consider how you manage your data on the road. Some password managers are free, some charge for certain features, so do your research and see what fits your situation.
3. When to change your passwords
There’s no point in changing all of your passwords immediately, but start with your critical accounts straight away. Many sites are still vulnerable to the bug and if the site is still vulnerable then leave it until the site owner updates the certificate and then change your password immediately. Some password managers like Lastpass have even tools which will tell you when you can do this.
Using the simple tools in the next section you can check if a site is vulnerable, if its not change the password to something else unique now. Not everything was effected, but now might be the time to go through all of your accounts and revise your password policy.
4. Useful tools and information
Remember that just because a site is not vulnerable now, it might have been a couple of weeks ago so you still need to change your password. There are lists out there of what was/was not vulnerable like this one.
Load this simple Chrome browser plugin dubbed Chromebleed and it will display a warning when you visit a website affected by Heartbleed.
Or, you can use this tool from Lastpass where you can type in a web address and check if that site is vulnerable to the bug.
Being secure isn't easy but that's exactly what hackers count on, that you will be lax in protecting yourself. You wouldn’t leave the house with your front door open and you don’t keep the spare set of keys under the front door mat. So it’s worthwhile taking some time to get organised, get a system going to ensure that you, your family and potentially your business work with minimised risk online.