clock menu more-arrow no yes

Filed under:

Andy Ihnatko has a few things to say about your password

Sometimes I worry that I’m incapable of writing concise columns. My general approach to writing these things is, I confess, similar to Peter Jackson’s approach to making movies: “If you’re having fun making ‘The Hobbit,’ then don’t let the fact that it’s a lone, 100,000-word book keep you from expanding it into a three-film, nine-hour epic.”

Nonetheless, this does raise valid doubts about my powers of self-discipline. So I’m proud to present what I feel to be a perfect column about the Heartbleed bug. It consists of just one word:

“AIEEEEEEEEE!!!!!!”

I seem to have lots of room left here, so I’ll let you read my first draft too. It’s rather wordy, but goes into deeper detail:

“AIEEEEEEEEE!!!!!!”

(Fourteen seconds of blinking while staring, numbly, at a technical briefing of the problem)

“ARRRRRGHHHHHHHHHH!!!!!!!!!”

There you go. Now let’s hear no more about this nonsense that “Ihnatko can’t just get right to the point.”

(Fine. I’ll pad out my word count on the subject if that’s what it takes to get paid for this one.)

Yes, this bug is about as bad as security problems get. For the past two years, our blind faith in the security of a Web browser window with a little lock icon in the address bar and the letters “https://” preceding the address, denoting a secure, encrypted connection, has been sorely misplaced.

A version of OpenSSL, the popular, trusted open-source code library that many developers rely on to bake security and encryption into servers, apps and devices has had a fatal flaw in it that can expose the contents of that machine’s memory to anyone who knows the correct exploit.

Heartbleed isn’t a malware. It doesn’t spread and infect. This flawed version of OpenSSL is a bug that’s been baked right into the affected system and any transaction of any app that’s ever relied on that version of OpenSSL could have been giving your private information to God-knows-who for the past two years of its existence. The community reservoir of trusted encryption has been poisoned. It affects the crops, it affects the livestock, it affects the health of the people.

In simplest terms, the flaw allows an attacker to trick a computer into sending out any data floating around in its active system memory. Which means that a varmint can get anything you’ve transmitted. You’re thinking “passwords, credit card numbers, encrypted emails, other personal information.” Yes, but the damage is even worse: attackers can also get their hands on the digital keys that were used to encrypt those transmissions to begin with. Even if the server admin were to close the OpenSSL hole, the varmint still has those keys and could decrypt secure communications.

The more I read about Heartbleed, and the more conversations I have with security experts about it, the more convinced I am that this is indeed close to a very-worst-case-scenario for security bugs. It affects a full range of computers worldwide, it’s easy to exploit, there are almost no limits to the types of data exposed — and the door’s been open long enough that the varmints must already be exploiting it.

What future bug can top this one?

As I sit here and reread my chat logs with security experts, the only possibility that comes to my mind won’t even be possible until after the hypothesized Singularity. This is the science-fictiony-predicted era when we’re able to transfer our consciousnesses into computers directly. If and when that happens, there could one day be a security flaw that has every consequence that Heartbleed has, plus it delivers the full physical sensation of being kicked square in the nuts while delivering a child without an epidural.

In the week since Heartbleed became a trending topic, the men and women in the white hats have been scrambling to heal the security of the Internet. A patched version of OpenSSL is now available and admins are fixing their systems. New security certificates are being issued, which will render any stolen encryption keys useless. This is why many of the sites and services you use are asking you to log back in, and asking you to change your passwords.

It’s going to take a few more weeks before the fixes are all in place. It’s also likely that some servers, run with a criminal lack of attention, will remain vulnerable. But overall, Heartbleed is more along the lines of a natural disaster than a pandemic. It happened, the danger will soon be over with, and all that’s left is the cleanup.

It’s a frustrating kind of disaster because we, the end-users are helpless to do anything about it ourselves. The fault is not in our computers, but in the servers that our computers trust. There’s something in our flawed, never-out-of-beta human software that makes us worry if there isn’t something we can download and fix ourselves.

Instead, it’s time to change our passwords. All of them. Seriously.

If you want to nitpick, it’s only necessary to change passwords on services and sites that used the flawed code. Mashable has assembled a table of popular services with a thumbs up or down.

But listen to your trusted tech columnist.

(And you can trust me. My brain uses a different implementation of OpenSSL that’s not affected by the Heartbleed bug.)

Changing passwords regularly is something you definitely need to do. It’s part of the basic hygiene of modern computing. There was a time when you could get away with changing important passwords only once a year. Sure. And there was also a time when you could safely hitchhike across the country, and a time when you could leave your suitcase in an airport without the terminal being shut down and a police robot detonating your dirty underwear while you’re off getting a Cinnabon.

If you’ve been practicing good hygiene and changing your passwords regularly, then you’ve unknowingly neutralized some of Heartbleed’s threats to your private data without ever even knowing that there was any danger. The recurring calendar reminder you put on your phone means that the drawbridge to your personal email was only lowered for this Bad Person during the week or the month that the old stolen password was valid.

Have we reached the point where a password manager should be considered mandatory, as opposed to a mere convenience? I don’t like to say this, but: Yes, totally.

It’s not just because of Heartbleed, either. Password-cracking tools have reached a new level of sophistication and artistry. Among their weapons: affordable graphics cards that put supercomputing power into each slot of a tower PC, and compromised password files that have allowed the crackers to gain unprecedented insights into how humans pick passwords. The hardware is capable of making millions of random guesses within a practical timeframe (assuming the target user is of high value) … and why would the software bother guessing at random, when the humans’ password choices tend to fit into such predictable patterns? Never before has a “brute force” method of password cracking been so brutally successful.

I’ve used a clever password-generation scheme for more than a decade. I tended to pick passwords that only my brain could generate. If I forgot the password for my main email account, I would still remember that it had something to do with my trip to Alcatraz Island — because for the past three months, all of my passwords for that account did. I only had to do was replay that visit in my head, try out some warped phrases based on standout personal memories from the trip, and I’d usually get it in two or three tries.

It worked because even if I flat-out told you that Alcatraz was the key, you’d probably guess things like “prison bars,” not “dropped my camera battery.” I randomized it up to avoid passwords that were sequences of common English words, to foil dictionary-based cracks. Passwords generated this way would certainly hold for the few weeks before I changed it again, and that was all that mattered. And I could remember them.

I used to recommend this idea to people. No more. It was a great scheme for the world as it existed 10 years ago. Today, though, we have too many accounts, we need to change our passwords more frequently, and the cracking tools are just too good.

So it’s finally time to drop whatever puny human method of password creation you’ve been using and switch to an app that generates damn-near-random passwords for you, stores them securely, logs you into your usual services automatically, backs them up, and lets you access your passwords from any computer or device you own.

The two kings of this category are 1Password and LastPass. They’re both excellent. I trust them. Moreover, the experts I trust to tell me if something can be trusted, trust them.

1Password is the clear pick for iPhone users. It’s clean, simple, and has tight integration with other iOS apps. 1Password’s makers are also offering a Heartbleed 50 percent off sale. The Mac or Windows license — normally $50 — is just $25. The sale also extends to family and multiplatform bundles. The iOS app is $8.99

I personally use 1Password. I mostly log into things through my Mac and my iPad, and its Apple support is exceptional. But my phone is an Android. 1Password has an Android client, but it’s clearly running a step or three behind the iOS edition.

LastPass is free, and its Web interface is slicker than 1Password’s.A $12-a-year subscription unlocks access to mobile apps and other nice features. The other advantage of LastPass is that it can manage the logins of a whole business, and take advantage of more secure authentication systems.

But both are proven, well-considered, and well-supported tools. Either one of them will make your online life safer.

And a password manager is now utterly necessary. If you don’t change your passwords frequently, then your accounts and your services are always going to be vulnerable. If you don’t simplify that process with 1Password or LastPass, then creating, using and changing secure passwords is going to be such a titanic pain in the butt that you’ll stop changing ’em once you’ve forgotten about Heartbleed.

You can’t do that anymore. Within a few weeks, the immediate Heartbleed mess will be behind us. But there’s always another terrible threat to security slouching toward Bethlehem to be born. A strong password manager won’t solve every problem, but it solves enough of them to justify the expense and effort.

1Password has been an adjustment, I confess. This is not how I’ve been handling passwords all my life.

I liken it to wearing a seatbelt. It sometimes gets in your way and in my car, it sometimes flops down and prevents my door from locking. But the amount of hassle it creates is utterly insignificant in light of the disasters that it will prevent in the future.