There are a huge number of news items, tweets and posts running around the Internet at the moment. I don’t pretend to know the details about Heartbleed, but I do not some of the expert opinion offered just adds to the general public’s confusion, and does not really help matters.
Some commentators observe Heartbleed could – emphasise – could have led to a Password compromise – no evidence is given of this having yet occurred (but you can be sure people are now trying…). Thus we now have many commentators calling for all users to change all passwords.
Whoa! Just hold on a minute, and check reasons to slow down a bit – Graham Cluley offers a good commentary.
Two Step Verification
Even if this were right, is it the best advice we can give? We have long known passwords are dead as a viable security technology. Rather than tell everyone to change their passwords – why not suggest upgrading to two-step verification or two-factor authentication instead? It’s almost as easy, and takes just about as long as changing your password to set up on most sites.
It may not 100% solve the issue, but it significantly reduces the issue.
If thinking of acting after the Heartbleed incidents, don’t just punt the problem until the next compromise, do something different…
- Wait a bit, until the patches are in place
- Don’t just change your passwords, upgrade to two-step verification or two-factor authentication