Ever since people started securing information systems, other people have been trying to break through that security to get at the protected information. The recent discovery of the Heartbleed bug in Open SSL is just the newest security threat to reach a high level of media attention and bring the issue of information security to the forefront. Billions of dollars are spent every year on security, and all it takes is one little mistake, one line of code, and all of it is wasted. The biggest challenge facing computer security today is that there’s no way to prove your system is secure – only that nobody’s figured out how to crack it yet.
As an IT provider, you can do everything right and still be vulnerable. You can follow all the best practices, use the strongest encryption, the most reputable vendors, and still fall prey to someone else’s mistake. Even the mighty Google was affected by Heartbleed, and they spend more money on security than your small business takes in every year.
As an IT consumer, you’re in an even worse boat. All you can do is decide which services to use, and follow their password requirements and restrictions. However, the moment a new vulnerability is discovered, you’re sitting helpless, hoping your private information isn’t compromised. Even if your computer has all the latest OS patches, you can still be in trouble.
Even best practices don’t really keep us safe. The strongest password in the world won’t keep your information safe if the attacker isn’t using your password. In fact, for those who are less computer literate, strong passwords can actually be a vulnerability because they lead to a false sense of security. Additionally, if a password is “too strong” (read: too complex), a user is more likely to write it down – and then it’s no longer a secret. XKCD ran an interesting comic on password strength (http://xkcd.com/936/) which suggested that very long, very easy to remember passwords are more secure than typical (8-15 character) random jumbles of letters, numbers, and symbols.
And what about those secret questions and answers websites ask for, when you’re registering for an account? Those are even worse than passwords. First pet’s name? You’ve probably shared it on Facebook. Mother’s maiden name? That’s available via a simple public records search. Favorite color? Have you ever filled out one of those memes where some sort of name is generated for you based on your favorite color and month of your birth? The answers to those memes are also the answers to those secret questions, only now it’s not so secret. And while everyone urges you to change your passwords when a major vulnerability is discovered, nobody thinks to tell you to change your secret questions and answers.
If you’re thinking this all sounds very dire, well, in a way you’re right. Computer security is an arms race, and sometimes those with malicious intent find a vulnerability and exploit it before the good guys can patch it. So how can we protect ourselves?
We can be smarter and more careful about how we do business, and how we protect our information. This won’t keep us absolutely secure, but if we’re smart about it, we can limit the damage. Don’t use the same password on multiple sites. Don’t answer the secret questions with real answers, answer with something you can remember. For example, if a website asks me “What was the name of your first pet”, I might answer with something like “I’d like an 1800 margarita, please.” It’s not the real answer, but if I know I use drink orders as answers to these questions, it’ll be just as easy for me to remember. Just because it’s your bank, doesn’t mean you should trust it with all your secret information. And when a website you use DOES get hacked? Go ahead and change your passwords, and your security questions and answers, but don’t think that you’re safe just because you’ve done so. Assume that anything you’ve put online, you’ve made available to the general public. If you don’t want everyone to know about it, think twice before putting it online.
For more information on the Heartbleed bug and password tools, please check out What’s the Heartbleed Bug and How Can You Protect Yourself? by Jeremy Rochon.