Security: HeartBleed aftermath

Well, it was fun, wasn’t it?  The panic, the flying rumors, the denials.  “Massive vulnerability” in a protocol we use EVERYWHERE.  What is an ordinary person supposed to think when told your passwords could have been compromised?

As I've said before, this is the way of the world and you just have to plan to do your part to keep the bad guys at bay.  In my mind changing passwords should be easy.  It IS easy, if you have set up a data base.  See my prior post about how to create good passwords and manage them: http://lifecommaspiceof.blogspot.com/2014/02/security-password-basics.html

So, when word comes that a password might be compromised, you do the following:

1.  Log in to your password db and find the site/account’s record
2.  Open your browser and log into the site/account in question
3.  Navigate to your account preferences or find the change password link
4.  Enter your old password  (assuming you’re using your data base, this is a copy/paste operation from the db)
5. As a short-term protection from problems, copy your old password into the notes field of the record.
6. Tell the db to generate a new password.  In KeePass 2, there’s a button for this at the end of the PW repeat line.  I randomly choose one of the generation algorithm options that button gives me, on the grounds that almost anything it generates is going to be reasonably secure.    For high-stakes accounts like my bank account, I use the highest hex key.  Sometimes I look at the password and add symbols to the numbers and letters.    But I admit that probably isn’t really necessary most of the time.
   
7.  Save the db record, then copy/paste the new password into the password and repeat password fields in the account.  Save changes.
8. Log out of the account and log back in.
9.  Assuming the password change worked, open the db record again and erase the old password from the notes field.
10. Save the new version of the db.

Keepass2 entry with Generate Password Button Circled

 

All this actually takes a lot less time than it took to write up the steps.  Of course, that’s for one account.  If you have lots of accounts you need to change, the time it takes multiplies.  Do it anyway.  It would take a LOT more time to repair the damage if your passwords have been compromised anywhere.

Which accounts do you need to fix?  CNET has a list here, which they keep updating:
http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/

The list is not in alphabetical order but that’s only a minor inconvenience.  You need to scan the whole list anyway; it might trigger action on an account you haven’t thought about in a while.  

I had to create and memorize a new mail password by hand.  That always takes a few minutes of concentration and a few days until I have it fully memorized and in my fingers.  Still worth it.  And now done.  

One thought worth repeating from my prior Security post: whatever you do, use a different password for every account.  You can’t control when vulnerabilities will happen.  But you CAN control the extent of potential damage done to you.  Use a data base, which will generate a different password for every account.  

You are responsible for your own data.  Do what you need to do.