The #heartbleed scare: the quest of changing passwords

There is one somewhat positive outcome from the ongoing #heartbleed scare: the password security issue is back in focus. How big is the ‘adventure’ of changing all passwords going to be?

The #heartbleed bug scare has one positive outcome: it has created a necessity for a global password change – everywhere, right now. Passwords these day are the primary security tool used in IT, but they have their weaknesses… Or rather it’s the way people handle them that is the weakest point: short, easy-to-guess, used multiple times – is a ‘popular’ problem.  According to a survey by Kaspersky Lab and B2B International, approximately 39% of users around the world prefer to use one or a few passwords for a whole range of resources. Also, 63% of respondents in the same survey admitted that their passwords are generally easy to guess.

The bug, which looks like one of the largest security sinkholes ever, scares security experts and well-informed users alike. So it’s time to do something. Actually, we are most likely going to have some laborious, lengthy and, at times, less-than-pleasant adventures ahead. This is especially true for small businesses, given that there are often no dedicated admins and people have to take care of their own passwords and overall security.

Well, the first thing that we should do is identify what really affects our data security. For small businesses the correct answer is short: everything. Everything, because people mostly use their own laptops and mobile devices for both work and personal needs, so unless there is a security solution in place that isolates personal data from working files, any visit to a malware-infested website may, in theory, result in the compromise of your operations. The safest bet is to presume that all of the services on the Web that you use may be compromised – for whatever reason.

So for starters, we change passwords to our e-mail. Both working and personal, especially if they are used for password recovery (possibly even mutual).

But then we are going to have a clear ‘butterfly effect’: after a primary work e-mail password is changed, many more should be replaced too: there are collaborative software and services such as Microsoft Exchange or Google Drive, which are accessed via e-mail and Google accounts. Also there are Apple accounts that connect all of a user’s Mac OS X and iOS-based devices.

Then there are social networking sites with both personal and corporate accounts. Almost every business today uses them to get in touch with their customers. Apparently cybercriminals also use these sites to get closer to you, your money and data.

All modern browsers have an option of storing your passwords and filling them in for you automatically. Let’s think about how many websites we frequent… it’s most likely quite a few. How many similar (not the same, but still similar) passwords are used for them? If they are used for both public Web resources and personal e-mail, it’s up to the crooks’ guesswork to find their way into your primary business e-mail and then into your company’s other resources. And, you see, they are often very good guessers. Experienced ones.

By the way, Kaspersky Lab has an online tool to test passwords’ strength.

As a matter of fact things actually are much easier with solutions like Kaspersky Small Office Security, which is equipped with an advanced Password Manager. It allows you to generate unique and unguessable passwords for a whole range of resources you frequent, stores them in an encrypted form and provides you with a single Master Password – the only one to remember. You can find more about it here.