The HeartBleed SSL vulnerability has been at the forefront of tech news for the past couple of days now. This new vulnerability has shaken my person password policy and management to its core. I knew it would happen someday, but I just kept kicking the can down the road.
I've had a pretty good run with KeePass. My KeePass database spans 5 years of creating passwords on the internet. Are all of my passwords original? Nope. I have several variations and combinations of very strong passwords. I've also simply used generic passwords at sites that I don't care about. To my knowledge, nothing has been compromised yet.
HeartBleed leapfrogs current password harvesting methods. Until now, hackers have typically compromised servers, and then pilfer improperly secured password databases. Every time this happens, more and more passwords are added to hackers' dictionaries. Hackers use dictionaries to try and guess passwords, and these lists are getting better and better. With HeartBleed, hackers don't have to mess around with password database security, or salted hashed, or anything like that. They can just scrape the unencrypted, non-salted passwords directly out of the server's memory. Awesome. Oh wait it gets better! This vulnerability has been wide open for a couple of months!
I used my most complex combo passwords on my most important sites: Facebook, Gmail, Dropbox, etc. The ones I don't want people to get into. Facebook, Gmail, and Dropbox were all vulnerable. For an example, let's say my awesome strong passwords consist of 1-4 different words:
Since I value my GMail account's security, my password would have been gM0t0b0atGr@v1t33L3tsGOM@RVEL-us. On other less important sites, it would have been just one, like L3tsGO.
I admit it. This is not good security practice. All my passwords should be strong. And different. The problem is I have too many passwords, and my brain just isn't big enough. I've been fighting the monster for so long.... and now I'm done.
The problem now is that some enterprising hacker can now take my passwords that they've harvested and add them to their dictionary. Most password cracking programs have the ability to do all kinds of neat things, like change all e's to 3's, try both upper and lower-case letters, etc. They can also put passwords together in different combinations. So, my risk has increased quite a bit.
Yesterday I plunked down the $13 for LastPass and started changing my passwords. They're all different now; random and 20 characters long. If a site's password database gets hacked, I'll just change the password for that site and be done with it. I can't take the worry or the management overhead anymore. I have thrown in the towel. Take my money, LastPass.
I recommend that you check out this link on mashable to find out where you should be changing your passwords.