Right around this same time last week there was a flurry of activity for those responsible for deployments leveraging OpenSSL. Yep, I’m talking about Heartbleed. So after we go through all of the patching and re-keying, it’s now time to consider password changes. This post isn’t about Heartbleed, it’s about passwords and what the bad guys already know.
Melanie Pinola from Lifehacker wrote a very interesting piece on Friday about how our password tricks don’t fool the modern hacker. I’m not sure what happened to recommendation number 3 in her piece, 1, 2, and 4 are spot on.
What’s the solution? Ultimately it comes down to using some software to help you out. Password managers are now built into some operating systems, or are offered as third-party addons. When it came time to cycle through the websites that have already disclosed the usage of vulnerable software, I simply took the site specific random password and replaced it with another site specific random password. I’ve written about password managers before, and still stand by their usage. If you are not using one yet, use this opportunity to take charge! You have a number of websites you need to be changing passwords for.