As some of the most frequented sites on the web, we can trust Google, Facebook and Yahoo! to protect our data, right? Wrong.
Introducing the ‘Heartbleed Bug'. These sites, along with almost half a million others, use OpenSSL, an open source piece of software designed to encrypt data flowing in and out of a website. A few days ago, internet users received the heartbreaking news that a flaw in the software has enabled hackers to steal data from these ‘secure' sites. Worse, this bug may have been crawling through our web servers for up to two years giving hackers plenty of time to get their grubby mitts on our personal information!
But stay calm, we needn't worry...the lovely people at Google et al have patched the flaws, rendering any stolen data useless. Phew. But hang on a minute, what about the half a million other websites using OpenSSL? Since the news broke the web has been flooded with confusing advice; particularly on whether or not we need to change our passwords across all our web applications. Some say ‘change your password right away'. Others advocate waiting until all your sites have been patched ensuring you don't risk your shiny new password falling into villainous hands. Then there are the soothing words of Google, which claims there's no need to change it at all. Unless, it adds quietly, you have been foolish enough to reuse your ‘secure' Google password on other websites. If this is you, then sound the alarm! Well, phew. Thank heavens that never happens, huh?
Time for a reality check. It's common knowledge that due to the sheer volume of passwords the average web user is now required to use, reusing the same memorable phrase across some, if not all websites we use on a daily basis is inevitable. Research conducted by Swivel in 2013 revealed that almost a fifth of employees care so little about online security that they reuse the same username and password across every single online business and personal application.*
The posturing has to end. It's all well and good telling us to change our passwords across all our applications, but it's inevitable that most of us are going to push that flash of guilt to one side and reuse our new password across the board once again. Help is at hand however, with new ‘password manager' websites popping up all over the internet. These sites claim to store your details securely and help generate complex, highly secure passwords as a result. But wait, how do you get into these sites? It isn't... It couldn't possibly be with... It is. Another password.
My advice? Scrap passwords altogether. The inconvenient truth is that web users are neither capable nor are they willing to maintain the complex, rolling system of passwords that today's web environment demands. Passwords have proven over and over again that they are no longer fit to secure the increasing amount of personal data we now store online and in the cloud.
Contributed by Chris Russell, CTO, Swivel Secure, www.swivelsecure.com