Of course, there’s an element of overreaction and drama to things like this. Websites are hacked what seems like all the time, but the Heartbleed bug has hit more than most. Mashable puts across what you should do more eloquently than I can (short version, there’s a few you’ve heard of, but in the UK it’s only a couple), but the bottom line is it’s always good to have a think about your password security.
A password is a simple concept. Think of a word which means something to you but no one else would guess. Of course in the good old days you could (almost) get away with ‘Password’ or ‘Password1’, but these days you need to be a little more savvy, and, frankly, unpredictable.
How many of you are using passwords right now which are based around your pets name? Your child’s name? Your birthday? Or even you’re mother’s maiden name? Now think about how easily someone could get hold of this info…plus, if you have a public Facebook account then you’re basically doing their work for them.
It’s an easy trap to fall into, because people choose ‘memorable’ words and phrases as secure answers, but in fact it might be more sensible to choose something completely random and unrelated to you instead.
How strong is a ‘strong’ password?
You can go too far the other way, meaning your password is impossible to remember and therefore you end up resetting it every time you try to log on. If you think you have the memory for it, you could try a strong password generator, which then you remember with a handy mnemonic.
For example, a strong password might be: Iow2ts2b18!bop, which as a sentence could be: I once went 2 the shops 2 buy 18! bags of peas. This is a random example (please don’t use this password!) but you get the idea. A really strong password would have more punctuation and more capital letters in it of course, if in doubt, add a few numbers in the middle of the word for good measure.
Another alternative is take a word you know well and reverse it to turn that into a mnemonic, of course that is less secure than a completely random word or name, but it might be easier to remember.
The key really is to be sensible, there’s no point in coming up with an incredibly elaborate password if you can’t remember it. I remember I changed some passwords recently and quickly lost track of which was for which site.
In terms of the Heartbleed sites, many of them offer two-step verification. What this does is asks you to log in with a password and a security code which is created by an app on your smartphone or tablet.
You can have the website remember a specific device so you don’t need to use the log-in process from you’re phone every five minutes, but the benefit is if someone does hack your account information then tries to log on as you somewhere else then they won’t be able to (in theory at least, there are some determined people out there).
It’s a fairly simple process, in that the likes of Google, Microsoft and Apple (for example) have their own two-step process in place, go to your security settings on your account for those sites to find out more. If you ever wondered what ‘Google Authenticator’ is, then that’s what it’s for (see the video below for a quick guide), personally I would recommend it.
As a disclaimer, I would not claim to be a password or security expert, and if you have genuine concerns that your account on any site has been compromised, contact that site immediately. In all likelihood though, you are very unlikely to be targeted specifically, it’s more likely that your data gets scooped up by a targeted attack on a high profile site, and keeping your passwords fresh eliminates the security risk from that.
It might not be very exciting, but would you really want someone logging on to your email and sending malware to you entire address book? It isn’t likely, but it’s the sort of thing which could happen if you don’t do something about it.
Now, if you’ll excuse me, I’m off to change my password and promptly forget it.
James Michael Parry