Over the past week, we have noticed many people (friends, family members, etc…) asking for general advice on things they can do to protect themselves from the recently revealed Heartbleed vulnerability. While a lot of the major work needs to be done by owners of individual websites, there are some more general security steps that you can take to minimize your risk. Most are not that difficult to set up, so you might as well go ahead and do them, especially now that security is probably fresh in your brain due to all the Heartbleed coverage.
If you use Chrome, install the Chromebleed extension.
This browser extension will give you an alert when you are on a secure site that appears to be vulnerable to the Heartbleed bug. The good news, as many websites have patched their servers, you should see very few alerts. If you do see an alert. Get off that website and come back later when they have had a chance to patch their servers.
Change passwords on sites that have given the all-clear
It’s a good idea to change your passwords, but only for websites that have given the all-clear that they are no longer vulnerable to the bug. If a site hasn’t patched their servers and you update your personal information, it doesn’t do much good.
Use a password manager like LastPass
It’s really hard (damn near impossible) to remember a unique password for every website you visit. Most people use a single password for many websites. A password manager shifts that burden out of your brain and into a piece of software, allowing you to remain secure while only remembering a single password.
Use two-factor authentication wherever possible
Two-factor authentication minimizes the risk of a password breach by forcing you to provide an extra piece of information when you log in. Usually this is a rotating security code that you read from an app, or an access code that will be sent to you via text message when you attempt to log in to a website. They are not very difficult to set up, and the security benefits are pretty great. If you haven’t started using two factor authentication on websites that offer it, you really should think about it.
Many sites support two factor authentication. Here are links to set up two factor authentication for Google accounts, Facebook (look for “login approvals”), Twitter (look for the “login verification” options), Github, and Evernote. A much larger list of sites can be found here.
Review the applications you are connected to on major social media sites
It’s likely that over the years you have built up many sites that have used a connection to one of your social media accounts. It’s easy to forget about the random website that you connected with your Facebook account two years ago. You should review these applications and revoke any services that you are no longer using.