The tech world is abuzz with news this week about Heartbleed a critical programming flaw in OpenSSL—an open source implementation of the SSL/TLS encryption protocol. This flaw had gone undetected for the past two years and might have allowed leaks of data from a server’s memory, which could include SSL site keys, usernames and passwords, and even personal user data such as email, instant messages, and files.
You’ve probably received multiple notices from sites to change your password. These notices are being sent out of an abundance of caution. While there’s no proof that anyone exploited this bug the severity warranted recommending a password change for just about every online account.
Now that password security is in the spotlight let’s review two things you can do to significantly reduce your chances of a security hack.
Use A Password Manager
If you’ve been sharing passwords across multiple accounts then this Heartbleed bug is your signal to stop. Make use of a quality password manager such as Lastpass ($12/yr) which will generate random passwords for every site as well as integrate to your browser so that you don’t need to repetitively enter the password on each visit. PC Magazine has a review of the top password managers here.
Use Two Factor Authentication on Every Service That Offers It
The concept behind two factor (two step) authentication is that you enter both a password (known to you) as well as a code generated on a separate device (something you have). It’s a similar process to using a bank’s ATM where you have to present both a card (something you have) as well as a pin (something known).
Two-step verification (also known as Two-factor authentication, abbreviated to TFA) is a process involving two stages to verify the identity of an entity trying to access services in a computer or in a network. This is a special case of a multi-factor authentication which might involve only one of the three authentication factors (a knowledge factor, a possession factor, and an inherence factor) for both steps. If each step involves a different authentication factor then the two-step authentication is additionally two-factor authentication.
In practice two factor is often done by sending your phone a text message during the login process. In place of a phone some services allow you to use software tools such as Google Authenticator (shown above) which generate the key for you and bypass the need to have an SMS sent to your phone.
With two factor enabled the process to access your account includes just one more step. First login normally with your regular password. As a second security step enter a one time use code that the site sends you and which usually arrives a text. Users of Google Authenticator (or similar) will obtain that one time code from their application which generates the random number automatically.
Using this method if a hacker were to obtain your password they would not be able to login to your account without also having the second factor which is usually a text message sent to your phone.