Tuesday, April 15, 2014

Should you change all your passwords due to HeartBleed? I say no!

Huge number of companies and experts are saying 'change all your passwords' or 'change ours'.

Here's my take on it. I say don't blindly change your password on all sites:

A. Change your passwords on individual sites when all four of the following are true:
  • you used password-protected areas of the site between April 1, 2014 and the date the site announced it has patched the bug (or someone logged into using your account)
  • the site reports it was vulnerable or was reported by others as vulnerable. See here for the status of some sites; consider a site vulnerable if you can't find out any information about its vulnerability and are worried because it contains sensitive data.
  • The site contains information that could cause harm if it was exploited, or your password is similar to a password on another site that you would care about.
  • the site does not use two-factor authentication (e.g. sending you a text containing a one time special code when you log in) or similar backup security mechanisms.

B. Also, change your passwords on other sites where:
  • you use the same or similar password to those you had to change in item A (but now try to make the passwords reasonably strong and different -- see my guidelines below).
  • the site stores particularly risky information and recommends a change. This would apply to banks and taxation agencies that were affected, perhaps even if you haven't logged on for a longer time. Note that most banks report they were not affected. 

So I guess most people might end up changing 20% of their key passwords based on the above, but certainly not all of them. Why do I not say 'change all your passwords' to be safe? It is because there is significant risk and this is a classic 'lets overdo it' panic situation:

1. Some sites are just not affected. Many important sites like most banks, Apple, and Microsoft are just not vulnerable. Other sites have secondary mechanisms in place and have determined that users are safe.

2. There may be residual sites that still have the vulnerability; if you use one of these with your new password(s), then you are compromised when you weren't before.

3. The HeartBleed bug works by looking at transmitted data or data nearby where transmitted data is stored; if you or someone you know have not logged on (and your computer has not automatically logged you on) to a vulnerable site there is highly unlikely to have been data accessible to the bug that contains your password.

4. The password reset process itself has risks: Many people actually don't know many of their passwords, and rely on a tool to remember it for them, or have remained logged on essentially forever. In such cases, sites typically send a reset link; if a hacker truly wants to get you they may have ways to intercept that link, or generate fake links anticipating that people are in the middle or resetting their password. Some sites even send the original password back to you unencrypted, which is dreadful.

5. Many people now have hundreds of accounts, and several dozen they use regularly. It is essentially impossible to change all passwords and remember them all, so likely you will end up resetting passwords again in the future, or be forced to write then down or use an easily-guessed pattern. These add extra risk.

For unaffected and low impact sites (i.e. ones not dealing in financial and personal data) the risk of an attack on you is very small. In my Opinion, the risk posed (items 2, 4 and 5 above) by everyone changing their password, when multiplied by the low probability in most cases (items 1 and 3 above) outweighs the benefits of the blanked 'change all of them' advice.

For ongoing security with passwords. Here's what to do as a consumer:
  • Use passwords that are at least 6 characters, are not just letters or numbers; use special characters in passwords if the site allows.
  • For financial institutions, governments and other agencies processing sensitive information use completely distinct passwords from all others.
  • For other sites, make sure there are several characters of difference even if you follow a password pattern.
  • Only change your password based on my guidance at the top of this email, or if you think someone may have a  way to guess your password, or have specific reason to want to hack you.
  • Never click on a link that says to change a password unless you have requested such a link in the last few minutes. In other circumstances, go to the website by typing the URL or using a bookmark you have used before.
Here's what to do as a site administrator or programmer
  • Allow passwords to have any combination of letters, numbers and special characters and be of very long length. Don't restrict password content other than for minimal length, or requiring at least two of the above types of characters. So many people run into sites that have complicated rules (short password, no special characters, etc, that they have to make up a password they will inevitably forget).
  • Implement two-factor authentication if there is a high risk of compromised information.
  • If your site his risky information such as substantial personal or financial data, implement some other forms of extra security, such as challenge questions when a computer at a different IP address range is used, and gradually slowing-down of response as more and more password attempts are entered.
  • Don't block people from using password managers without good cause. Password managers likely result in a net increase of security. 
  • Put in place a robust reset process that uses multiple factors. Force people to phone if some of the factors are not present. Factors might include emailing their stored email address first, without a reset link initially, and verifying some other known personal information first.
  • Allow people to save multiple email addresses, so if people change service provider you still have a way to contact them to verify identity.
  • After a password is changed, email people at their email addresses of record, to alert them that the password has been changed.
  • Never put a link to any password-protected website in any email you sent to people; the only exception might be a link sent in a reset operation that follows the above guidelines, is sent instantly on request, and is only valid for a very short time.
  • Always think about usability as well as security; low usability of a security setup will force people to use simple passwords, write them down, or abandon your site.
Some other sites of interest include this and this. My opinion above contradicts these sites to some extent.

No comments:

Post a Comment