I spent a large chunk of time this week dealing from the fallout of Heartbleed as a technical person who runs a variety of websites… but this weekend I spent a lot of time dealing with it as a user. It took a lot of time and I wanted to share what I did.
Wait, is Heartbleed?
You were affected by Heartbleed. You may not know it, but you were. Everyone in the internet was. I’m not going to spend time explaining heartbleed because there’s plenty of that already: technical, non-technical, also non-technical and even comic.
What Do I Need To Do?
There’s a great list of sites affected, but frankly, it’s probably worse than that site would have you believe. The reality is this bug has been around for about 2 years and no one knows who has known about it for how long. So even if a site wasn’t using vulnerable software at the time we all found out about it, who knows what their setup was a year ago – or two.
Bottom line: for every site you have a password for, purchase stuff from, give sensitive information to, or log into in any way you need to 1. Ensure they are no longer vulnerable and 2. Change your password. We’ll talk about how to pick good passwords and how to manage yoru passwords conveniently below.
Before visiting any sites though, be sure to test them via http://filippo.io/Heartbleed/. Alternatively you can install the or the Chrome extension ChromeBleed or the Firefox extension Foxbleed to tell you when a site is vulnerable.
Before You Make Any Passwords…
Lets talk a bit about passwords. Traditional wisdom has taught internet users that “good” passwords are very complicated. You’ve been told that you must have special characters, spaces, capitals, all sorts of stuff. Your passwords should look like F23%@!he right? Wrong.
The reality of it is, these crazy tricks are only useful on passwords that are short. You can have a much more secure, much easier to remember password if it’s long. Lets look at two examples:
- F23%@!he
- This new job is fantastic, and I’m making a very long new password to ensure I keep the company safe.
Which one of those is harder to crack? Well there’s roughly 95 characters on my keyboard I can use in a password… so the first password is 8 characters, so assuming an attacker knew how long it was, it would take 95^8 or 6,634,204,312,890,625 guesses to figure out. Not that many for a computer to do. Now lets assume that in the second case the attacker knows we are only using letters, spaces, commas, apostrophes, and periods – just to make it “weaker” – that’s only 54 possible characters. And again, lets assume the attacker knows the length of the password. OK, so the number of guesses would be 54^102 (that’s 102 characters) which is 5,060,151,292,742,899,803,155,369,247,456,004,028,007,484,398,099,983,812,643,223,359,676,655,183,085,130,713,577,104,812,568,773,74,090,891,957,891,806,474,420,131,725,564,699,076,655,948,414,884,760,908,561,767,814,181,384,582,332,416 guesses. So even limiting the choices of characters, the second password is a lot better.
I’ve simplified the math a bit – you also need to take into account that the attacker doesn’t actually know how long the password is, so he has to try all 1-character passwords, then 2-character passwords, then 3-character passwords, and so on. Which as you can guess, means the longer password has even more benefit.
So getting back to the topic at hand, when you change your passwords, they’ll fall into two categories: the ones you have to remember because you have to type them constantly (the password to unlock your computer, the password for your email) and the passwords for various websites.
So the passwords you need to remember should be a nice long phrase or sentence like the one above (aim for 25 or more characters) Passwords for websites should be randomly generated by a password program (also at least 25 characters) and stored in said password program. You’ll want a password program that makes it easy to copy any password into your clipboard for easy use. And most importantly have a different password for every single service!
Which means we need to have a password program… read on.
How I Used To Manage Passwords
Traditionally, my way of storing passwords was in a PGP-encrypted file. If you’re not a technical person, this doesn’t mean much to you, but I suffice to say I had an encrypted document on my computer that I could read only if I had two things: 1. A special “private key” (another file), and 2. A very long passphrase. This is very secure, but it wasn’t very portable. I couldn’t easily access this from various remote places, from my phone, etc.
For me this isn’t much of an issue – I generally have access to my home computer remotely through various means. But that wasn’t always true, and as such I have a bunch of bad password practices. Traditionally I’ve had a “banking” password, a “important stuff that’s not banking” password, a “somewhat secure stuff” password and a “throw-away” password I used for sites that didn’t matter. This is a horrible idea. It was time to start using unique passwords everywhere.
While a PGP-encrypted file and my current remote-access setup was sufficient for this, I decided to explore my options.
Requirements For A New Password Manager
If I was going to trust my password to anything other than GnuPG (my PGP software, written by truly paranoid folks, which is what you want in security software), it had to meet several requirements. First and foremost it had to be open-source. In the wake of all the NSA stuff over the past 12 months, it’s become clear that you cannot trust proprietary software – especially not for things like password safes. The NSA has had a huge influence over a variety of software, both open and closed – but such issues in open-source software are more likely to be found due to the many people looking at that software all of the time. Heartbleed is a great example of what generally happens when the community finds a problem with open-source security software – they announce it publicly so everyone can protect themselves.
Second, it had to store the passwords encrypted by strong cryptography I knew to be as trustworthy as possible. For those of you who are technical that meant AES256.
Third, it had to be able to export it’s database into a simple format such as plain-text or CSV. I want to be able to switch to a different password manager at any time I choose.
Third, it had to be cross-platform. I generally only use Linux desktops. However, I have an Android, and occasionally I need to use a Mac, and if I chose I wanted my passwords to be available there.
Choosing A New Password Manager
I did hours of research and found there were two possible options: KeePassX and KeePass. It’s worth looking at a bit of history of these two pieces of software to make the right choice.
KeePass version 1 is open-source (GPL) but only works on Windows. KeePassX is a port of KeePass 1 to be cross-platform (Windows, Mac, and Linux) – also open-source (GPL). It has many – but not all – of the features of KeePass 1 and fully spports files created by KeePass 1. Version 2 of KeePass is also developed primarily on Windows, but due to Mono works on Linux. The KeePassX guy has alpha versions of KeePassX2 which will support the KeePass2 format.
There is android software to read both KeePass 1 and KeePass 2 files (and thus KeePassX files).
Each has their advantages. KeePass is pluggable, so there are plugins to do all sorts of useful features one might want. However, I found most of these plugins to be of poor quality or so complicated to install that average users will be unable to. KeePassX, while less feature-rich, is fully cross-platform at its core, which is something its author seems to cares a lot about. It’s also simpler – and in security software, simplicity is a good thing.
I decided that KeePassX was the right solution for me.
I found a great article at LinuxJournal about using KeePassX, Dropbox, and KeePassDroid in order to have secure passwords across multiple devices. KeePassDroid is also open-source (GPL/Apache), so my android piece had been solved as well.
I also am using Dropbox as described in that article for sycning. You may have noticed that Dropbox is proprietary – it requires a closed-source daemon. However, the only thing I’m using dropbox for here is to steward the encrypted database around. Since I trust the security of the KeePassX database (it’s encrypted with AES256), I can send it over any untrusted path safely.
The only thing that makes me unhappy about this setup is Dropbox’s proprietary software running on my machine. It’s not the worst thing in the world (my graphics drivers are also proprietary), but it’s not optimal either. KeePassX 2 is set to have native syncing to various services, and that will make me feel better.
My Final Setup
It is not clear to me if I want to use KeePassX + Dropbox + DroidKeePass or whether I want to stick with a single PGP-encrypted file which only exists in one place. So for the moment I’ve put all my new passwords in both, and I will try both and see how it goes.
Back To Changing All Your Passwords
So, remember:
- Install ChromeBleed or Foxbleed to detect vulnerable sites
- Change your password on every site you visit to a unique password 25 or more characters
- Use a good password manager
For sites that support (Google, Facebook, Github, and others) you should enable 2-factor support. It means you will need your phone in order to login, but it’s definitely easy and adds a ton of security.
Update: 4/12 10:34pm updated to add an explanation on why dropbox is OK to use.
You still have the wrong link for Foxbleed. Its href is pointing to the Chromebleed extension.
Fixed, thanks!