Heartbleed: What Is The Correct Response?

My friend Stephen emailed me and said he’s changing all of his passwords in the wake of the Heartbleed bug.

I thought about that and wondered to myself “what is the appropriate response to this?”. So I thought I’d blog about it today and generate a discussion. I am sure I will learn something from it. And hopefully all of us will.

Is the correct response, as Stephen suggests, to change passwords on every site and app you have a stored password for? Is that even possible? What about that podcasting service I signed up for eight years ago? I can’t even recall what is is called anymore.

Or is it correct to respond to password change requests from the services that recommend that? I just did that on a bunch of services that notified me via email that I should do that.

Or is it correct to scour the Internet for suggestions, like this post on Mashable, and follow their advice?

Or is this the time we should all move to 1password, or something like that, to manage our passwords?

If you use two factor auth, as I do on many services, does that mean you don’t need to change those passwords?

There are a ton of super smart and technical folks who read this blog. What are you doing and what would you recommend we all do?

#Web/Tech

Comments (Archived):

  1. Alex Wolf

    Thank goodness you are asking all these questions Fred. I’ve asked them before and now they press on me. Look forward to the comments. This community service.

  2. Anne Libby

    In the longer run, can’t blockchain be used to authenticate identity? Will this be more bulletproof, so to speak?And if so, who’s working on this? Hurry! It makes my head hurt to think of all the places I have ID/password.

    1. fredwilson

      hurry is right

    2. Avi Deitcher

      Blockchain to authenticate identity? Please do explain.

      1. Anne Libby

        When I commented, couldn’t think of where I had read this. Of course, it was via USV: Albert wrote about this.http://continuations.com/po

        1. Avi Deitcher

          Thanks, Anne, I will read it right away. I have been remiss in most readings for the last 2 months, between work overload and broken ankle.

          1. Anne Libby

            Avi, recovering from a a broken bone can be surprisingly exhausting. And crutches, yikes. I am so sorry. Take good care of yourself.

          2. Avi Deitcher

            Ice hockey injury. As we Canadians say, at least I came by it honestly.

          3. Anne Libby

            I broke my wrist skating. #bornmidwestern

          4. Avi Deitcher

            Recently?

          5. Anne Libby

            Yep.

          6. Avi Deitcher

            Very sorry to hear. You take care of yourself as well. Between the two of us, we could put one whole person on the ice…

          7. Anne Libby

            We’ll both be back on the ice in a few months!

          8. Avi Deitcher

            I hope so. I miss hockey terribly. Keeps me (relatively) sane.

          9. pointsnfigures

            Habs or Leafs?

          10. Avi Deitcher

            I grew up idolizing the Blond Demon, Yvan Cournoyer, the Rocket, the Pocket Rocket, Ken Dryden….

          11. pointsnfigures

            The Habs crushed us in Chicago in 1972. Dryden was magnificent in goal. The original wall.

          12. Avi Deitcher

            I loved watching them. My father had half-season tickets two rows off the ice in the corner, we used to love those games.Somehow, despite growing up in NYC and Israel, my 2 older boys are rabid Habs fans. I love watching and playing, enjoy the teams, but since they instituted the draft, I feel less allegiance.

          13. pointsnfigures

            It’s been awhile since the flying frenchman have been good. Maybe this year. Would love to see an Original 6 final against the Hawks. Hopefully, the Hawks will be healthy for the playoffs. Someone has been hurt all year.

          14. Avi Deitcher

            It has been a while since the flying frenchmen really were the flying frenchmen….

          15. Avi Deitcher

            And thank you. ๐Ÿ™‚

          16. Anne Libby

            Thank you, too.

        2. Avi Deitcher

          Fascinating. It purports to solve the problem of control of an identity in an irrevocable fashion. Once I own my name, no one can take my name.So an identity is the equivalent of a bitcoin wallet, and proof of identity is shown using my private key, identical to how I release bitcoin from the ledger?Is it dramatically different than some of the original PGP directories? They also had a ledger and pub/priv keys, although those are relatively centrally controlled, not distributed, but the idea is the same.It does, however, kill my anonymity.

          1. Anne Libby

            I don’t think it kills anonymity, executed in the right way. Maybe Albert will stop by and chime in.

          2. Avi Deitcher

            Bitcoin itself is only pseudonymous. You can track transactions all the way back to source, since every transaction ever is on the blockchain.I like the idea of irrevocable yet password-less identity proof for a Website, yet not the idea that in order to do so, they can tie something back to me.Of course, since I always use my email, it isn’t that hard anyways, is it?

    3. kidmercury

      probably, though blockchain innovation is severely limited until the cost of transaction validation is managed and assigned in an agreeable fashion.

  3. PrometheeFeu

    Only change your password for services that patched their systems and revoked their private key, otherwise, you’re not gaining anything. Also, only change passwords on recently used services. Your threat model is probably somebody spying on you with the use of that service right now. It’s unlikely anybody is recording all your internet traffic waiting for the opportunity that just came up. (And if someone is , they probably also have an army, thumbscrews and know a couple other zero-days we don’t know about) Finally, sign out and sign back in to services that were patched to get new session ids.For the future, tell people to use perfect forward secrecy when they setup servers to mitigate future issues like this one.

    1. fredwilson

      thanks. very helpful

    2. Scott Barnett

      What about Lastpass and their update to automatically identify sites at risk? Reliable? Seems like a better option than changing passwords on hundreds of sites…

      1. giantslor

        Their advice is in line with what I’ve seen from security experts. I used their Heartbleed-check tool and it’s VERY useful.

      2. PrometheeFeu

        I don’t know anything about Lastpass, sorry.

        1. Scott Barnett

          Here’s their blog post explaining what they do – I use lastpass and will download this new version to see how it works – seems like a great thing – http://blog.lastpass.com/20

          1. PrometheeFeu

            That looks pretty good actually. I would say you probably will be fine if you follow their advice.

      1. PrometheeFeu

        You could check their CA’s certificate revokation list. However, I would simply wait for them to announce they’ve resolved the issue and maybe ask them if they revoked their certs. At the end of the day, you’re still stuck trusting them not to have mucked things up by for instance switching cert before patching, so it makes sense to go off what they say. And I would bet a lot of security researchers are spending their day (and the following days) looking for sites who patched but didn’t revoke their certs. So you’re probably good for well known services.Well, I’m back to harrassing Citibank until they tell me whether they were vulnerable or not and if they patched or not…

    3. JamesHRH

      Patched? How does average user know that happened?

      1. PrometheeFeu

        The comments list a couple ways to figure that out, but you could just wait for the service provider to say they fixed the problem on their end.

  4. Julien

    Change your password on any service that has data that you can’t afford to see compromised.Also keep in mind that any data you exchanged with any service which was vulnerable could have been leaked, not just passwords, credit card numbers, SSN… Etc.

    1. Avi Deitcher

      What’s the diff between dashlane and 1password combined with iCloud or Dropbox?

  5. jason wright

    at some point in the future everyone (and every thing – the internet of things things) wanting to connect to the web is going to need to have a verified identity to proceed. this is not an NSA-esque paradigm. this is a mutual trust environment.

    1. Avi Deitcher

      I don’t disagree that it might happen, I just find it unnerving. I don’t need proof of identity to buy/read a local newspaper, I don’t want anyone to know if I read the WSJ or NYT, Washington Post or Washington Times, or even the National Enquirer or something even less respectable. The same for online.

        1. Avi Deitcher

          Hey, I saw Men In Black! I know that’s where the real news is!I like quality of writing as much as quality of reporting.

    2. Avi Deitcher

      To add… my preferred paradigm would be some way of coming up with an anonymous and unique identifier I can use on a given site. I can always use it to identify going forward from anywhere – iOS, Android, Web, some other laptop – but it cannot go backwards to identify real me without my opening it up.Not to get too technical, but think of hashes (which is how good passwords are stored, unless you are incompetent, like Adobe…): I can prove I know the source, but you cannot get to the source. I can prove I am user 12345, but you cannot get from that to Avi.

      1. jason wright

        the web could be the platform for the rise of the fifth estate, or it could simply consolidate the power of the existing estates. it’s a battle ground.

      2. Fernando Gutierrez

        The problem with that is that if you use that hash in many places it could be relatively easy to link it to you. The amount of data that we leave behind is huge.

        1. Avi Deitcher

          Fernando, the hash would have to be unique not only to each site, but to each and every login. The nice thing about hashing is that it is doable, as long as the cleartext is the same in each login. Make it a combo of the site, the username, and some random text, and it works. But then we are dependent on the random text.However, yes, I cannot reverse-engineer to the private key, but I can know which public key it came from. Still, it is far less of a trail than a blockchain.The blockchain by definition stores every transaction ever done. A hashing mechanism can confirm your ID relative to your public key, and then throw away the hash results. They are useless anyways. Or the public key to which it was connected.

          1. Fernando Gutierrez

            Got it! Like it! ๐Ÿ™‚

  6. Avi Deitcher

    1passwd is great, especially in combination with cloud services, but it is just a password vault. It doesn’t protect your passwords on those sites.

    1. Cam MacRae

      All true. But if you use it correctly it does ensure you don’t share passwords across sites.I know 3 passphrases in total: my ident for work, my private key passphrase, and my 1Password passphrase. Everything else looks something like this… oXm*VGUiQx,9mVUEr3QipMEZ

      1. Avi Deitcher

        Ah, so not that it would have solved this problem, but it would have reduced the impact of a stolen password to just that site?

        1. Cam MacRae

          That’s why I use it. Every site has a unique password that I don’t know or care to know.

          1. Avi Deitcher

            The app world messes that up sometimes. I hate having to open 1P on iOS, copy the password, then switch apps again to paste it in… if it allows pasting.Maybe Suster was right about “App is Crap.”

          2. Cam MacRae

            I use the 1Password mobile browser if I have to log in to some site on the web. It’s ok for most things. Needs a bit of polish.

          3. Avi Deitcher

            Email them, they are pretty responsive.

  7. jason wright

    project ara’s mdk v1 was released yesterday. i think this proto innovation is deserving of a post discussion at some point.

  8. Avi Deitcher

    If we look at this how the credit card companies do – fraudulent behaviour – rather than assuming all is compromised. If someone had already gotten to your social media or bank account (not to compare the 2), wouldn’t they already have used it for nefarious purposes?

  9. William Mougayar

    There must be a better way than entering passwords the way we do today. It’s a vexing issue that has been neglected.Why don’t we implement a biometric type of password security where the systems recognize us by who we uniquely are.

    1. Avi Deitcher

      Hardware. Who wants to modify hardware, and then it is still a shared phrase easy to modify.The big advantage of passwords is they depend on nothing more than keyboards, which have been everywhere since good ol’ green screens.

      1. sigmaalgebra

        > since good ol’ green screensEver hear of a typewriter?

    2. PrometheeFeu

      Because you’re pretty much constantly broadcasting your biometric information to anyone who cares to capture it.

    3. fredwilson

      Because you can’t change or revoke your fingerprint when its stolen

      1. Anne Libby

        The incentives created are not attractive. Stolen. Ugh.

        1. PrometheeFeu

          I think stealing the data generated by the fingerprint reader would remain more attractive than stealing the actual finger.

          1. Avi Deitcher

            Ha! Crossed wires! I agree with @PrometheeFeu

        2. Avi Deitcher

          I think he meant the data of the fingerprint, not the finger itself…

          1. Anne Libby

            I can’t remember where I was feeding my sci-fi dependence recently — it involved using a “stolen” hand as a biometric ID.It all happens in sci-fi first, friends.

          2. Avi Deitcher

            I remember reading about it in some cheesy terror thriller novel, about a terrorist who is brought into JFK airport, plane lands on autopilot, everyone is dead, but the terrorist steals the Fed agent’s hand or finger to get into the secure facility?

          3. Girish Mehta

            The Lion’s Game – Nelson DeMille.

          4. Avi Deitcher

            Bingo. Thank you Girish.

          5. William Mougayar

            and I believed that ๐Ÿ™‚

          6. William Mougayar

            yep, could be a 2- or 3-factor thing.

          7. Avi Deitcher

            Is that like the old Microsoft 3-finger salute? ๐Ÿ™‚

      2. William Mougayar

        there’s heartbeat authentication. also, retinal display scan.

        1. Cam MacRae

          Iris scan. Unless you have glaucoma.

          1. leigh

            i always worry about people killing me and taking my eyeball to scan…too many james bond movies perhaps ๐Ÿ™‚

          2. sigmaalgebra

            Naw! They will just get a good portable telescope connected to a good single lens reflex camera and, from maybe 100 yards away, take some pictures of your eyes. Then in James Bond style, they will have a small video display show their really good image of your eye and, thus, fool anything looking at your eye! Piece of cake!The telescope? Okay, there used to be a good one, Questar, that all physics students instantly fell in love with. When I bought a sack full of really good Nikon products, I nearly also bought a Questar! Maybe I should have! The thing is just astounding. Look athttp://www.questar-corp.com…Can still get them!Your eyeballs are wide open and fully at risk!

          3. Conor

            In Malaysia back in.. wow.. 2005.. A gang of thieves carjacked a Mercedes owner and cut off his finger as the ignition was secured by fingerprint id. So it’s not far from reality..

          4. Cam MacRae

            ๐Ÿ™‚

      3. Eric Fleischman

        That’s not how biometrics work. (Not defending biometrics but it’s worth understanding that fingerprint revocation isn’t a problem)

      4. Brad Gillespie

        Fingerprints (and iris and …) are usernames not passwords.

    4. Cam MacRae

      When I re-enter the country I pass through SmartGate which uses facial recognition to decide whether to let me in. Except it doesn’t work if I have my glasses on. And if I have my glasses off I can’t see well enough to follow the bloody instructions.Iris scanner at our NOC works well. Except when it doesn’t. Which is most of the time.Pin code and print reader is not too bad, but it develops this unholy film of slime over a couple of hours and it is nobody’s job to clean it off. Just keep your mitts away from your face and it’s doubtful you’ll die of anything serious.I’d rather stick to my passphrase, ta.

      1. LE

        Iris scanner at our NOC works well. Except when it doesn’t. Which is most of the time.That’s really a staple of various crime movies. Category: Boy who cried wolf exploit (I will call it).It’s the security camera that goes on the blink occasionally therefore when it doesn’t work on the day of the crime the people viewing the monitors don’t take it seriously. They call the cctv vendor for service again. Or the alarm system that goes off that nobody pays attention to.

        1. sigmaalgebra

          Yup, for detectors of wide variety, having a low false alarm rate is a biggie. But, for what detectors do we know false alarm rate? Detectors with also high detection rate? For complicated situations? For zero-day problems?All this is far, far, far too complicated for the security community!!!! Mention Neyman-Pearson and a proof via the Hahn decomposition and the Neyman-Pearson result, and they roll over and curl up like a cockroach on Raid! Mention the connection with the NP-complete knapsack problem, and they dry up as dust and blow away!

    5. markslater

      could not agree more – PWs are the bain of my existence. I’ve resorted to using the first names of employees here followed by a funny adjective. I can look around the room when logging in and remember the PW!there is a blockchain startup in here somewhere…..credential authentication is a transaction….

      1. PhilipSugar

        I never thought of that must be weird.

    6. Doug Kersten

      You need, at a minimum, two of three things to be secure. Something that you know, something that you have, and something that you are. Two-factor authentication uses two of these three things. For example, something you know is your username and password and something you have is your one time password/RSA token. Throwing something that you are (e.g., your fingerprint, iris scan, etc.) into the mix would make it three-factor authentication and the most secure. Any one of the three by themselves is relatively insecure, which is why biometrics by itself is not a good idea from a security perspective.

    7. sigmaalgebra

      See myhttp://avc.com/2014/04/hear…just above.

  10. Tom Labus

    Why aren’t I hearing from my bank about this stuff?

  11. awaldstein

    Lucky us for having this community.Such smarts and good will.Honestly–unfortunately–there just ain’t no others like it.

    1. sigmaalgebra

      Maybe there are other communities like this one, but, if so, then how the heck to find them? Hmm …!

  12. Ryan Laubscher

    I have to agree with @wmoug:disqus when it comes to how we use credentials today to access the systems that are more and more defining the way we work and communicate and store things of importance.That said, in my opinion, passwords are the issue. We need to look past how passwords are used to authenticate a user and find something that replaces this type of system. What it is that should take their place I’m not sure – it is indeed a vexing issue.What I do know is that, for me at least, 1Password is never going to be the answer. The thought of some nefarious group one day finding a way to pick the lock that throws my digital life open to all and sundry is about as unappealing as anything gets.

    1. Ryan Laubscher

      Just to add to that, I use MFA on all systems that are important to me. I am very comfortable with that level of security – for now at least.

    2. Avi Deitcher

      Hmm… we could use PBKDF-style to generate a more complex and unique password per site, but that requires some calculations before submitting. It is doable in the browser, but the browser page is only as secure as what was sent to it.We could use smartphones for that, but once going down that path might as well just to TFA/MFA, like you said below.

      1. Avi Deitcher

        To clarify, I didn’t mean literally PBKDF/2 or anything, just the idea that the password itself generates a more complex (and therefore unique) key.In practice, I now realize, this is how 1Password works when used correctly, as many others pointed out – your password accesses a vault that stores unique and unmemorizable passwords that are, for all intents and purposes, are like unique keys.

      2. Ryan Laubscher

        Yeah, agreed – why go to all that trouble if MFA basically does the same thing.I use the Google Authenticator App across a lot of my systems: all my Gmail accounts and also for my Stripe account. I travel a lot globally and it is the one form of secondary authentication that I find works every single time.

        1. Avi Deitcher

          MFA requires pre-registration / synchronization (although Google Auth makes it easier, and I am sure alternatives are popping up), and Google’s penchant for mining data makes one wonder if they will accidentally weaken their algorithms in doing so.Independent keys, perhaps like S/Key but an automatic process, takes the 3rd party out of the equation.Perhaps some form of challenge-response based on someone’s public key?S: Hi, please enter your login name and sign the following string: “abehgh67!q”C: enter the code in your function generator, sign it by using your password locally, come up with “aaaaasasqwqwqw”S: take your username, get your public key, validate hash signature.Not as inconvenient as 2-factor, not as time-sync-sensitive. Could still work. And you can always invalidate your public key

  13. Mark Forscher

    The single best thing you can do is use a service like 1password to generate unique passwords for every site you join. That way if a random site you joined a year ago is compromised, they just have access to the unique password that was generated for that one site, not the same password you use for your bank for example.You can test the security of servers here https://www.ssllabs.com/ssl…. I’d suggest making a list of the sites you use that you do not want compromised (banks, twitter, facebook, etc.). For each one, check the security of their server. If it is still compromised, do not log in or change your password. If it is secure, use a service like 1password to create a new password for that site. Start with the sites that are most critical to you and then deal with the rest later as you use them.

    1. chrispa

      Mark – the site you listed gives a grade (A, B, C, etc) But there is no delineation of what is ok, and what is not (besides the obvious F) Is ‘B’ ok?

      1. Avi Deitcher

        Chris, I don’t think there is such a thing in the world of infosec as Pass/Fail or Good/Bad. It is all a question of degree.I can give you perfect security… by doing no business at all. That is as much a fail is almost totally insecure.

        1. chrispa

          Oh absolutely – that’s not what I meant. I was specifically talking about the Heartbleed bug. For example this site specifically tests for Heartbleed: filippo.io/Heartbleed/

          1. Avi Deitcher

            Oh, right! Point taken. ๐Ÿ™

          2. Mark Forscher

            The url I posted checks for heartbleed + other vulnerabilities. It’s not the easiest to navigate to the detail view (click the actual url on the screen where you see the letter grade)..

      2. Mark Forscher

        Agreed with @deitcher:disqus . The letter grades correspond to various specific risks that you can view by clicking on the url for more detail. Personally, I’m “ok” with sites that have a B or above rating, but it’s relative to your comfort with the specifics of the risk.

        1. chrispa

          ahhhh – I did not click on the URL for the details. I thought that would run the test again. thanks!

          1. Mark Forscher

            Yea it’s not super intuitive or clear that you have to do that to see the details.

  14. Eric Friedman

    I switched to 1password a few years ago and never looked back. Use this as the catalyst to switch as you will be very happy.By synching to Dropbox I can login to another computer or via phone and still have access to all my passwords if I am without my computer. It’s costly on every platform but I like supporting their company by buying the product.What has been most interesting for me as a consumer is getting the sheer volume of emails from services with different recommendations.

    1. Fernando Gutierrez

      I use Keepass synced with Dropbox to access from my Android phone and I’m also loving it. Open source.

  15. LissIsMore

    I have been using 2-tier authentication where it is offered (Gmail, Evernote, LastPass). That feels pretty secure to me because my password alone will not gain entry to those accounts.

  16. Joshua Cyr

    If you have shared a username/password across more than one account – all sites should be updated. Even if a site wasn’t impacted by heartbleed. You can’t know that the credentials you use haven’t been taken on one of the sites, and it is certain anyone who gets them will use them on all high value targets they can.If your password is different on all sites, than updating those that have been impacted may be enough.

    1. Joshua Cyr

      I suspect we will see high value target organizations (government for example) force changes to passwords, even if their servers were not hit. The reason is they likely can’t guarantee that their employees had different credentials on other services. So the chance is high someone signed up for some service they dont’ care about, but used their .gov email. Someone gets ahold of that user/pass and they may now have access to vpn for gov or important servers / data, etc.

    2. Joshua Cyr

      Another example: How many people using coinbase, blockchain.info, etc. also use yahoo mail and also use the same user/pass across everything? Super easy script to write and one way easy money theft. It may seem overreacting, but I would be forcing changes to everyone’s passwords anyway. No way to be safe otherwise.

  17. leigh

    I was thinking to stick my head in the sand and hope no one cares about me enough to hack my life. Non? Not the correct response? #dammit

  18. samwallace

    Make passwords at least 15 characters long using letters, numbers, symbols and caps.NEVER use the same password on 2 sites. To practically implement the above use LastPass or other quality, well researched password manager. Never log on to anything from a public location without using a VPN. 2 step authentication is vital. Create a grid that allows you use different answers to security questions and make encrypted copies of grid. Never respond to an email link that requires you to enter password or other info to get to anything at any site that involves money or transactions. Consider a ‘clean’ computer for financial transactions. Start today. USe common sense. If available, create unique identity for each group and avoid logging in with Facebook, Google +, etc.Believe it or not, all above is quick, easy, painless and almost free when implemented properly.

    1. Aaron Klein

      Yes, make passwords 15 characters long, especially on sites like americanexpress.com that have a max of eight characters, alphanumeric only. ๐Ÿ˜‰

  19. pointsnfigures

    These hackers don’t surprise me. Especially when I read stuff like this: http://streetwiseprofessor…. Putin making money off Russian hackers getting into Nieman-Marcus…

  20. Liban Mahamed

    The solution is almost here, something along the lines of facial recognition/fingerprint etc. Already in use in mobile phone. The magic is an authentication system based on biometrics instead of the ancient password box. I am sure USV will fund such project soon. I am actually surprised no one has done it yet.About safe guarding passwords, too much worrying may not be helpful. Do your best, be cautious. Still life moves on, you take risks on the streets and online.Life will go on and the band will play on.

  21. pointsnfigures

    Here is the WSJ blogging about it: http://blogs.wsj.com/five-t… I don’t know if it’s behind a paywall, but they say this:”If a service you use was affected by Heartbleed, wait until the company makes the update before changing your password. Not sure if the service is affected? Type in the address in this tool set up by Qualys, a cybersecurity company.If the service wasnโ€™t affected, consider changing your password anyway. Now is a good time to ensure you are using a robust password with numbers, letters ans symbols โ€” and turn on two-factor authentication wherever possible.”

    1. Aaron Klein

      Google has done a great service in rolling out their open two-factor Authenticator app. I use it for all of my Google accounts, Evernote, Dropbox, Stripe, etc.Ultimately, 2FA is the greatest protection. My password could be known by the entire world and they still couldn’t get in. I’m committed to rolling this out on Riskalyze this year to protect our customers.

  22. Avi Deitcher

    I just want to say: AVC has to be the best community on the Web. I have been very very busy with client work for many months, plus my injury (less travel = more time to do the same work to deliver), so just being able to spend a little time and reengage is amazing.

  23. Aaron Klein

    Here’s a bigger problem, if you’re building an enterprise SaaS business. How do you verify identity with your customers in a world of pretexting and hacking into accounts?When are customers allowed to change their email address in an app?When are customers allowed to deactivate and close an account?If a customer is claiming they are locked out and aren’t getting the change password email in their inbox, how far can you go to help them?Is a customer giving you the last four digits of their credit card number sufficient to establish identity? If not, what replaces that?Why do we still use secret questions when they are typically about subjects we write about on our Twitter accounts?There are a lot of security problems to solve.

    1. LE

      Good questions. I think the answers vary with what the SaaS business is doing though and what the downside of an incorrect check would be.Friction with security is good sometimes. We’ve gotten a small bit of flack from almost always the proverbial “tech guy” (PTG) helping the “clueless owner or department manager” who wants to change registrar by requiring a fair amount of hoops that they have to go through to get an authorization code. One of those hoops (and not the only one by any means) is requiring a credit card and payment to get the code (something that is absolutely literally unheard of in our business). We’ve found a fair amount of times that the person who is affected actually doesn’t even know what the PTG is doing on their behalf. And having to provide payment stops both parties in their tracks at that point. Because when money is involved people stop and take a bit more time to read the email that you send them.If I had to summarize the best way to handle some of the outlier situations that you are asking about I would say that it is to have any outlier situations handled by someone with a larger brain that is higher up in the chain. And build that cost (if any) into either the product upfront or charge for it at the point of delivery.You are in no way going to be able to have a procedure that can’t be gamed by someone who has inside knowledge of course. Which is one reason why we never publish exactly what we need to do a particular action. It’s kind of literally “we know it when we see it” type thing.

      1. Aaron Klein

        Can’t disagree with that. We do have to define and publish our policy internally though…and the most important part of it is…”better to temporarily inconvenience a customer if something smells fishy to you, than to let someone’s account get exploited.”

        1. LE

          Don’t forget to penetration test (if you want to call it that) your procedure to identify any flaws. [1]You might also want to give some of your people training in social engineering so they at least have a clue as to what people are capable of doing. (This of course comes with it’s own risks for sure.)[1] Or maybe not.

  24. Shaun Dakin

    I’ve been told that 2 factor authentication doesn’t impact this in that the security breach collects everything via https://.. I use it of course, but in this case we are talking about encrypted data that is no longer so. Can anyone responded to the 2 factor issue in this case?

    1. Avi Deitcher

      2 factor changes by definition each time. The bigger issue is not only that they might have your password and can get into your accounts – hence changing login credentials – but that they might actually have peeked into your secure sessions.

      1. Girish Mehta

        “2 factor changes by definition each time” – could you pls confirm if you are referring to challenge-response ? Thanks.

        1. Avi Deitcher

          Poorly worded on my part.I should have said, “2FA that we were discussing, primarily Google’s Authenticator and its precursors in Security Dynamics (then RSA), change by time (only valid for 30 seconds) and are only usable once.”

          1. Girish Mehta

            Ah..got it, Thanks ! I was trying to make sure I interpreted correctly (my understanding is dated – going back in time to another century & another life when I did a little marketing around this stuff :-)). 2FA refers to any 2 out of the 3 – ‘what you know’, ‘what you have’ and ‘who you are’. I believe most 2FA systems also implement challenge-response protocol, but was curious if that was you were referring to.Just did a search and this was the first result -http://en.wikipedia.org/wik…”However, strong authentication is not necessarily multifactor authentication. Soliciting multiple answers to challenge questions may be considered strong authentication but, unless the process also retrieves ‘something you have’ or ‘something you are’, it would not be considered multi-factor authentication. The FFIEC issued supplemental guidance on this subject in August 2006, in which they clarified, “By definition true multifactor authentication requires the use of solutions from two or more of the three categories of factors. Using multiple solutions from the same category … would not constitute multifactor authentication.”[1]Another commonly found class of definitions relates to a cryptographic process, or more precisely authentication based on a challenge response protocol. This type of definition is found in the Handbook of applied cryptography.[2] This type of definition does not necessarily relate to two-factor authentication, since the secret key used in a challenge-response authentication scheme can be simply derived from a password (one factor).”

  25. scottythebody

    Passwords are almost dead, but not quite. For sure you should be using unique passwords per service now. Use 1Password or something like it if you’re comfortable with the “keys to the kingdom” being in one place. For highly sensitive passwords that you might only need occasionaly, consider storing them in a truecrypt volume somewhere safe.If you’re comfortble with it, you should do OAUTH type setups (log in with Twitter, log in with Facebook, log in with Google+). When possible, use a second factor. It’s a bit of a hassle, but I set up Google Authenticator for Facebook, Gmail, my home Synology and a few other services.I also set up application passwords (since client applications like Mail.app, Mailbox.app, etc. can’t do 2-factor). This is the biggest hassle, but it’s a nice work-around and you can manage them really well from the Google accounts page.

    1. Avi Deitcher

      Not quite dead yet…. (forgive me, I had to)https://www.youtube.com/wat…

      1. scottythebody

        brilliant!

  26. Neeraj Gupta

    LastPass (of which I’ve been a happy customer for years) will scour your logins for those vulnerable sites (e.g. Yahoo) and, more importantly, the subset of those have since reissued SSL certs. As I understand it, if that’s not done then changing your password may be less useful. Thus they alert you to those sites on which you should act now versus those on which you should wait.

  27. Anson Kao

    Remember guys that any hacker worth his salt would be most interested in 2 things – bank account access, and e-mail account access.You don’t actually have to worry about the former since most banks use something other than OpenSSL. That is, unless you’re a dummy and have been using the same password elsewhere!You do want to think carefully about the latter – what is the hacker able to do with access to your e-mail account? For 90% of e-mail accounts, all a hacker would gain is the possibility to use the victims’ saved credit cards on Amazon via password reset. Is it really that big of a risk since you can just refund it? Why are we all so caught up with Heartbleed… Maybe our egos are inflated.

    1. kidmercury

      people have a lot of stuff in their email. full blown identity theft for a sizable portion of wealthy people would be possible for sufficiently skilled and dedicated thieves.

      1. Anson Kao

        Agreed. The 10% that have substantial wealth attached to their identity cannot be complacent.

      2. LE

        full blown identity theftAccess to someone’s email also makes it much easier to social engineer them on an individual level to get at even more information.

  28. Kate Huyett

    LastPass runs a scan for you and makes recommendations on what to change based on the sites that were impacted: http://blog.lastpass.com/20

  29. jason wright

    as an xp user this week has already been one for thinking about my security over the web. fingers crossed the only issue i’ve ever faced was a Russian hacking my twitter account a couple of months ago. couldn’t see the point of it. a waste of creative energy. is the dark side where people think the fun is to be had? i don’t get it.

  30. FlavioGomes

    And to remove that peace of mind, there’s not really much you can do to protect yourself, except stay offline for a while. The vulnerability has to be patched by the owner of the web server. In fact, if you go and log in to a compromised server, youโ€™d actually be revealing your password to the exploiter. As tweeted by a friend of mine: That moment when you want to change your password, but you really, really shouldnโ€™t.

  31. chirisdex

    I have 6-10 or so records that I actually proper worry about. E-mail, Financial, Tweets, FB, etc. I have probably 1,000+ records that if they were compromised, I would probably not even take plenty of time to fix, I would just be slightly entertained.Incinerador de Grasa

  32. Matt Zagaja

    I’m a big fan and user of 1Password. I will probably cycle my passwords at the major services I use this weekend. If people want to hack my ESPN bracket now, I’ll live.

  33. Offbeatmammal

    First of all… don’t change a password until you know the site has fixed the problem…. otherwise the new one just leaks. Log out and stay logged out until the problem gets fixed on a site by site basis.In general never reusing a password is a good idea – I’m a fan of LastPass to generate and manage those, but there are other solutions. Sadly my bank (for instance) with it’s floating keyboard PIN and picking random letters from a password actually makes this less secure (and as they appear not to be running IIS in this instance I’m taking their continued silence as bad news)!Realistically you need to prioritize accounts – where will you lose $, where will you lose professional credibility, where will you lose important memories … and then on to the trivial.

  34. Kirsten Lambertsen

    This might be a little low-tech or old news for some here, but I recently learned that my passwords were pretty weak (and I thought they were great).This little post is a great tutorial on creating a nearly-impossible-to-crack password:http://xkcd.com/936/

  35. markslater

    Can someone out there who is bleeding on jetblue site please tell me my PW – i have so fucking many i cant remember them. thanks. Also. Dont take my miles.

  36. Farhan Lalji

    Wondering what the AVC community thinks about the other side of the equation? If you’re a web service how should you go about communicating this to your users. Find it interesting that I haven’t gotten an email from Goog / Y! etc around changing my password, but lots of smaller co’s have emailed, trying to make me remember I signed up for them some time in the past perhaps?

  37. Doug Kersten

    I am not sure if this was said already but this vulnerability impacts more then usernames and passwords. ANY data that was transmitted over the secure connections could have been compromised. This takes thinking about it to a whole new level. What do you do if someone has all the details of your bank accounts, your health information, your investments, etc.? Something like Lifelock has become a must for the credit side of things but what about the rest? Insurance requirements are definitely an area where I think we will see an impact. For example, insurance companies are already starting to require companies to hire/designate someone responsible for information security and are beginning to expect full-blown information security programs before they will insure against cyber threats.It is good for the information security field since I expect great expansion in this area in the next 10 years. Fireye and and the other security companies you have seen in the news lately are just the bottom of the iceberg (do icebergs grow from the top down or the bottom up? hah). Tools for creating security programs and assessing security risk are pretty lousy right now… Something to think about for a new business…

    1. LE

      What do you do if someone has all the details of your bank accounts, your health information, your investments, etc.?By “details of” do you mean password access to the account whereby they can initiate transfers? Or do you mean “knowledge of the information”?starting to require companies to hire/designate someone responsible for information security and are beginning to expect full-blown information security programs before they will insure against cyber threats.They don’t know exactly what the risk is so they can’t properly insure against it. Obviously if they view their exposure as being great they either have to spread that risk by reinsuring and/or do their own audits. After all since you are in the business you are aware that trained professionals screw up every day. And those checklists in any case end up being way to onerous to implement in the course of every day business. So the insurance company has to simply weigh the expected claims payout with the cost of a higher degree of scrutiny and if infact it will actually have an impact on that.

      1. Doug Kersten

        The HeartBleed vulnerability allows all kinds of data to be retrieved. It is not limited to a username and password or certificate/key information only.There are a lot of ways to determine and mitigate risks and insurance companies are very good at it or they go out of business. Requiring someone to be responsible for information security at a company is a proven way to help mitigate security risks. Of course you can never get rid of all risk, and I never meant to imply you could, but you can plan for and mitigate it.Saying that information security is a bunch of checklists and onerous to implement is a bit disingenuous and shows a lack of knowledge about information security as a practice. Perhaps you have been the victim of badly practiced Infosec? Good Infosec is almost transparent. In fact, good Infosec usually means following good operational procedures. Think of it in terms of a car. In the old days there were no seat belts, airbags, anti-lock brakes, etc. You would just jump into a car and drive. However, you were taking on a significant risk every time you did. Seat belts, head rests, airbags, anti-lock brakes, etc. came along to mitigate the associated risks. When seat belts became mandatory a lot of people thought it was onerous and didn’t want to do it. The car companies didn’t want to do it either. Now those same people get into a car and buckle up without thinking about it and car companies wouldn’t think of building a car without them. It is virtually transparent to them.My point is that the risks associated with information security has gotten so high that the insurance companies can no longer ignore it and are taking steps to mitigate the risks. Startups can no longer ignore it either. They are implementing SSL, two-factor authentication, encrypting data and passwords, controlling access to their servers in a more restrictive way and much more. Often, however, you will see companies compromised because of basic mistakes in how they implement security. People tend to think it is ‘simple’ and just a matter of salting hashed passwords. It is usually only when something bad happens that they realize they have been going about it the wrong way and then tend to get serious about it. Startups spend so much time on development, marketing, customer satisfaction, etc. that they usually skimp on the Infosec side (which can make sense when the company is very young). But we are at an inflection point where that has to change. It doesn’t have to be expensive or onerous to implement good security practices but if you get it wrong it could spell the end for your business.

  38. LE

    Meanwhile credit card statements with full account numbers come by postal mail (you don’t need expiration dates or cvv codes for all transactions) as well as new credit cards are shipped that way. Then there are those imprinted checks that come with every single postal credit card statement which I end up having to shred along with credit card solicitations with my name on them which I also have to shred. [1][1] Yes I know I can opt out somehow and/or get statements online with no postal if I want.

  39. LE

    Have to say also that there is an entire suite of risk you take on in your life as a result of being a very public person who many people know about along with a degree of fame as well. As a result your risk profile is way higher than the average unknown person. Or even any of your partners. This pretty much dwarfs any risk in my mind (not that it should be ignored of course) that is presented by the heartbleed issue. Obviously you have gained by being public for sure. But it does come with risk.

  40. LE

    Question for any people who use Mac Osx.How many people have FileVault turned? [1]How many people have or use encrypted images (you use disk utility to create these) on the mac to further secure any super valuable information (especially if you are laptop based but even on an office pc which of course can be stolen quite easily)? [2]Do you know where your laptop is at all times? Do you leave it in your car sometimes?How many people have another trusted person who has your master password to all your passwords (for whatever you use) so if you become incapacitated (say some memory loss) you or they can get at your info? In other words not assuming death but less than that where you simply forget some but not all things? Short or long term.[1] http://support.apple.com/kb…[2] http://support.apple.com/kb

  41. Alex Calic

    This newly-launched browser plugin for Chrome is a nice way to find out if the sites you visit most have been affected. – http://bgr.com/2014/04/10/h

  42. Eric M. Seitz

    I took this as an opportunity to do some house cleaning. I spent the better part of yesterday morning thinking through what sites and web services do I actually use and benefit from, often. I ended up with six. For these accounts I changed the passwords. My guess is that this exercise was probably not necessary, on some of these sites, but I did it anyways.Now I have these highly useful sites to focus on during my day to day routine. About a dozen others, that I thought I was using regularly, have been worked out of my standard practices. I’m hoping this may have killed an enormous time suck. If nothing else, it is already helping me maintain more focus, when in front of the screen.

  43. Haz

    It’s crucial to never share passwords among multiple sites, and to use different account names on every site you use. If you reuse passwords and account names it becomes very easy to turn one compromised account into dozens.

  44. Stanislas Marion

    The biggest problem in all of this is people’s understanding of computer security, or as I like to call it, virtual security. People have no clue of what’s going on under the hood and where threats come from. People are using their mental models of physical security and applying them to virtual reality. It just doesn’t work that way. A padlock on a webpage doesn’t mean shit but people still trust it. See Bitcoin Core dev Mike Hearn’s post about this: https://medium.com/bitcoin-…So I guess the answer is: educate yourself.

  45. Nate

    Givens:1) You can never ever reuse passwords between services.2) Protect your lynchpin accounts (email, iCloud, Dropbox, things like that) with two factor auth.3) All passwords (except your one password manager master password) need to be impossible to remember, i.e. super long and random.This means:1) You have to use 1Password or similar to manage passwords.2) Your 1Password database needs to survive and stay secure when one or all of your devices is lost or stolen. Example: my 1Password database is encrypted with my master password and synced to all my devices with Dropbox.3) It’s a good idea to keep a printout or USB stick of your master password and two factor auth recovery keys kept in a safe somewhere. Also: add a trusted relative’s phone number to accounts using two factor auth for SMS recovery as a backstop. You don’t want to lose all your devices and then not be able to sign into Dropbox on a new device to recover your encrypted 1Password database.

  46. HFU

    Two-factor, and having the user only reply yes/no to a simple prompt on the phone, is the way to go in my opinion. Two-factor because it is a way better solution than simple passwords, in every way. And not requiring the user to copy a random number/string every time they log on, makes the log on process less tedious (which is an issue with many two-factor solutions).

  47. ShanaC

    Cofounder: Oh yes, we’re up to date involving heartbleedMe: Ok.:) (You asked what I did)No i’m not changing my passwords. It is unlikely someone is spying on me right now. I’m generally careful, and I change when I get warnings to change.Plus I use lastpass, which tells me when heartbeat affects me.So outside of above, no much

  48. LE

    There are a ton of super smart and technical folks who read this blog.Ironically nearly all of the security breaches we have had (I can also throw in the design of email in a way so as to allow spam for that matter) are as a result of “super smart” and/or “technical folks” making mistakes, working quickly, and/or not anticipating certain potential outcomes. In addition to that even under the best of circumstances people differ in how they see the same problem as even being a problem or worth preventing in the first place.I’d worry more about what you can do something about (I happen to think that anyone who drives around Manhattan on a bike or on a scooter is taking on way to much risk. That is if they can afford to do otherwise. It’s simply not worth the potential downside.)

  49. Donna Brewington White

    Thanks for raising this question, Fred.The AVC comments are one of the best places to gain more insight in situations like this. Are you going to do a follow-up post on what you decided to do?

  50. Blake Modersitzki

    Do we still live in a world of post-it Notes with our passwords written on them? Hearbleed has shined a light on the age-old issue of password management. Iโ€™ve seen apps and solutions that claim to provide password management or a secure digital wallet, but they donโ€™t seem to be widely used. Why is that? Ease of use? I would think that those readingthis blog know exactly what needs to happen, but what about the masses who donot live in the tech world but still need the security of protection against things like Hearbleed. The problem with password management may be a human issue and not a technical issue….

  51. Barry Graubart

    I adopted 1password about six months ago, but hadn’t gone back to change all of the passwords for the various services that I use. At the time, I did change passwords on the high security sites (those with access to cc or financial data).Right now, as sites notify me that they have patched their systems, I am creating new passwords, and they are being logged to 1password.For now, at least, I’m ignoring the low-value accounts where someone getting my ID could not access any personal details nor could they post as me. In particular, I’m not worrying about services I’ve not used in a few years.Lastpass has added an indicator of whether a system has been patched. I reached out to 1password, who said they were looking at this, but have not yet done so. I still prefer 1password to lastpass, but it would be nice if they would match this capability.

  52. Ron Williams

    Companies will be loath to tell users to change passwords. Given it’s been a giant hole for two years and it’s reported at least the NSA has been using it, a password change (and SSL certificate update of your own web sites) is a very good idea. Also note the attack can be pointed at your personal devices so they likely will need a patch to (at least some applications on them). There are interesting things in how the bug was reported that also indicate key players like Google and CloudFlare are being cagey on how active hackers and governments have been with this bug. Care is warranted.

  53. Avi Deitcher

    Good point about 2-factor. As soon as heartbleed broke, I checked gmail.com and google.com, saw they weren’t vulnerable… but I use 2-factor there. I needn’t have worried.

  54. Anne Libby

    Paul, I also think about all of the acquired/acquihired startups I’ve signed up for, some services that are now shut down. Where did my login credentials go?

  55. fredwilson

    That’s pretty much my approach

  56. Susan Rubinsky

    I used to do the same thing until the Adobe and Target breaches last year when many providers started forcing me to change my password. Now it’s all a giant mess. I don’t have a good solution.

  57. Stanislas Marion

    Yeah keep doing that until someone hacks a bunch of your accounts then gets access to a lot more data through social engineering, eventually breaking all security barriers to gain access to your important accounts that you think are protected through special characters and 2FA.It’s really super easy to just use 1Password or Lastpass and generate a new password everytime you sign up for a new service. It takes 3 fucking clicks. Not using such an app is just plain foolish laziness.

  58. Aaron Klein

    See, that’s just lazy. ThisInternetThingIsGoingToBeBig! is far more secure.

  59. Miles Skorpen

    1Password doesn’t store your passwords in the cloud (unless you choose to put them in Dropbox), and isn’t a SASS application, so a lot of the breaches you’ve seen as late don’t apply to them. LastPass, a 1P competitor, is SASS which certainly can be a bit convenient … but also does make them more vulnerable to this kind of thing.

  60. Avi Deitcher

    Remember those LifeLock ads? We could have InternetLock ads:”My name is Charlie Crystle, my password is ThisInternetThingIsGoingToBeBig, and I feel safe telling you that!”

  61. Aaron Klein

    I’d still never do that, but 2FA makes me feel that safe.

  62. Avi Deitcher

    I think I would still prefer hashing. But I am not the super expert on this.

  63. Aaron Klein

    Hashing a password doesn’t stop it from being stolen.2FA creates an ever changing variable, which is easy to reset, that would require the thief to steal both the password in your head AND the phone in your pocket. (Which, by the way, has its own pass code lock and auto-wipe after some bad tries.)Ultimately, my goal is to be such a hardened target that hackers go somewhere else.

  64. Avi Deitcher

    I think you missed my point. Of course, all passwords should be salted and strongly hashed when stored.I meant what I had above, a hashing/digital signing type, where I prove my identity by signing some random string of characters which is validated by my public certificate, available in lots of places.With this method, there is no compromisable 3rd-party master TFA server, no time-based expiry, no worry that if my device is stolen I need to invalidate all my tokens, etc.More importantly, there is no password at all stored (hashed or otherwise) on the service provider’s infrastructure. There is a stateless validation of my identity, good for only this one time.That may be the weakness. If you intercepted both the signature and the cleartext, you could prove you are me elsewhere. Which means time-based. Which goes back to physical/virtual keyfobs and TFA.Not quite there yet…

  65. Aaron Klein

    I’ve always thought it would be funny to try to log into a service with a username of “username” and a password of “password” — “that’s what they told me to type in those boxes!”

  66. Stanislas Marion

    But why wouldn’t you? It’s quick and easy. What kind of 2FA do you use? Have you kept a copy of the private keys/QR codes? If not and if you use Google Authenticator, then you will be locked out of your accounts in the event you lose or break your phones. Which means there is a way for you to recover them despite not being able to produce the 2FA code. Which means 2FA doesn’t protect you 100%, or if it does, then you better not lose your phone or have stored all the private keys, which once again will require something like 1Password.

  67. ShanaC

    into the empty wild?

  68. sigmaalgebra

    Into the bit bucket.

  69. LE

    To me storing this type of data in someone else’s repository of similar data (aka “juicy target”) is a non starter.

  70. Miles Skorpen

    Totally agree โ€” which is a strong argument for 1Password over LastPass.

  71. sigmaalgebra

    In just a few keystrokes, I confirmed that in total over the past 8 years I’ve used fewer than 72 passwords. I know what all those passwords are, and from how I generate passwords, likely they are all different. I have no problems managing passwords, e-mail addresses, phone numbers, e-mail traffic, etc.The main key is use of a good text editor. So, for part of such things, I have a simple flat ASCII file FACTS.DAT. I use a little command line script to start my favorite text editor on that file — the script brings the current instance to the top of the screen Z order or starts a new instance. The file consists of little dated entries, each with a list of keywords. A little editor macro lets me find entries by using the keywords.All my user IDs and passwords are in that file. For a new user ID or password, I just make another entry in the file, using a macro that slaps a time-date stamp on the entry.To find that number 72, I just had my editor search the whole file for the string ‘PW:’.Far and away my most heavily used programs are my favorite text editor and my favorite Web browser. If I had to do without one of those two, it would be the Web browser. Why? I have a little command line script to get the file of a URL and a little editor macro to extract the text. So, without a Web browser, I could still use the Web!Ode to a good text editor!

  72. sigmaalgebra

    Of course the UIs are absurd, but it’s not nice to pick on them because it will insult the idiots who create them!!!! Else they’d be on welfare!

  73. Fernando Gutierrez

    Fully agree. We all use a lot services that maybe important to us but that have a very limited interest for third parties, so I don’t see why they would bother. Aside from email accounts, banks/exchanges and a few paid services that have my cc info, I don’t see many more I’m really worried. They are a lot, but it’s not that hard to have those passwords changed every few months (not only when security bugs are discovered, change them frequently!!!)

  74. Anne Libby

    I hope they’re gone, gone…Had a bad experience a couple of years back with the shutdown of a startup I had provided publlc profile/content to. Everything on the site hung out there for a while, gathering digital graffiti — some of it pretty ugly, and due to the nature of the site, being dumped in my email inbox — until someone finally took the site down.Someone recently asked me to participate in a similar way in her new startup, I explained the situation told her that I could only do it if it was easy to take down my profile. Unfortunately, that was a no-go.Until this, hadn’t wondered about the fate of my login credentials…