– – – – – – – – – – – – –  – – –  – – –  – – – – – – – – – – – – – – – – – – – – – – – – – – – – –  – – – – – – – – – – – – – – – – – –
As the dust begins to settle down on the Heartbleed bug, it is time to critically assess the password management practices in your organization. After all, password management is the foundation for information security, but that security is threatened by the deadly combination of the Heartbleed bug and password reuse. Reinforce the foundation with the tips below for ​meticulously reviewing and revising how your organization stores, shares, and uses passwords.
– – – – – – – – – – – – –  – – –  – – –  – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –  – – – – – – – – – – – – – – – – –

heartbleed-passwords-review-newThe Internet is exploding with stories on the Heartbleed bug, which is considered the mother of all security vulnerabilities. With this kind of information overflow, you are probably too familiar with the bug. After nearly two weeks of security warnings, concerns, impact assessments, predictions, and interpretations, the dust is settling down.

In the deluge of information, it’s easy to ignore​ the most important aspect of the threat posed by the Heartbleed bug – password management. Why is password management Heartbleed’s most important aspect? Because improper password management practices, when combined with Heartbleed, make a deadly combination that could be disastrous for organizations and individuals alike.

 

The Heartbleed bug and password reuse: A deadly combination 

The Heartbleed bug — the serious flaw in OpenSSL’s TLS implementation — became widely known on April 7. The bug had been around, unidentified, for nearly two years, and it is not known if the bug had been exploited against any web application anywhere. So as a precautionary measure, most vendors suggest you reset your passwords after they patch applications and fix the vulnerability at their end. By now, you must have been swamped by vendor advisories prompting you to change your passwords.

When you receive a Heartbleed advisory from a software application provider, you’re likely to change the password for that application or site and feel secure. But the harsh truth is that the rest of​ your online life could still be at risk. This is because most of us tend to use the same password on all websites and applications.

So let’s say a hacker succeeded in cracking your password by exploiting the Heartbleed vulnerability in one site or application. If you rely on the same password to protect all of your online accounts, then​ the hacker actually obtained the ‘master key’ to access all of those accounts – even those that are not vulnerable to Heartbleed.

Following are some high-risk scenarios:

  • You are using the same password everywhere, including social media accounts, web applications, service portals, bank accounts, and online financial accounts. A password harvested by exploiting the Heartbleed bug at one place could give the hacker access to all your other accounts and lead to draining your bank account.
  • An employee of your organization has used the same password for personal and social media accounts as well as work-related web applications, email, and VPN. Data exposed at just one site compromised by ​the Heartbleed bug could invite hackers to your organization’s doorstep.

So when a security incident happens at one place, you should reset the passwords of ​all other online accounts that are vulnerable to that incident. And you should reset the passwords whether you reuse the same password or you use a unique password for each account. But before you could reset your passwords, you should have the list of all online applications in which you own an account.

Heartbleed: How to prevent security incidents

You should check if any of the online or web applications you use are or were vulnerable to the Heartbleed bug. If they had been vulnerable, you should act in accordance with the respective vendor’s security advisory and change the password. In addition, if you have used that password in any other application, change the password for each application — even if the other applications are not or were not vulnerable to the Heartbleed bug.

Irrespective of whether vulnerable to the Heartbleed bug or not,​ most vendors are now advising their customers to reset passwords to prevent any hacks in the future. Once a vendor advises you to reset the password of a site/application, you should assign a unique, strong password. Wait for a vendor’s reset advisory, then reset your password.  Changing your password on a particular site offers protection only if that site has already patched its systems to fix Heartbleed vulnerability.

You should assign a unique password to each website and application. When there is news of a​ password expose or hack, you can just change the password for that site or app alone. Changing passwords frequently is a highly recommended habit.

But here comes the problem: You will have to remember multiple passwords, often tens or even hundreds of them. It is quite likely that you will forget passwords, and at the most needed occasion, you will struggle logging in and succumb to password fatigue.

Time to review password management practices

Changing passwords and assigning unique passwords are important, but not sufficient to ensure information security. Password management is the foundation for information security, and a sound approach will help you effectively combat vulnerabilities like the Heartbleed bug. After initiating action on Heartbleed advisories, you should ​review your password management practices.

Especially, you should meticulously review how passwords are stored, shared, and used in your organization. Password management is not merely about storing passwords. It actually covers a broad range of activities, including consolidating, securing, controlling, managing, and monitoring privileged accounts. Below are key points to consider during your review.​

  • IT resources and web applications should be assigned strong, unique passwords. Password reuse is disastrous and should be strictly avoided.
  • Administrative passwords, which grant unlimited access privileges t​o the IT assets, should never be stored in plain text in volatile sources like post-its, spreadsheets, printouts, and text documents.
  • Users should get access only to the passwords of the specific resources that are necessary to perform their work.
  • When passwords are to be shared with others, the sharing mechanism should follow a p​roper workflow that includes 1) approval mechanism for password requests, 2) time-limited access, and 3) automatic reset after usage.
  • All passwords should be changed at periodic intervals. The organization’s IT policy should be enforced.
  • Access to sensitive accounts should be granted without revealing the underlying passwords. In other words, users should be able to access the resources without seeing the passwords in plain text.
  • All activities done by the users on highly sensitive resources should be video-recorded and monitored. Any suspicious activity should be terminated.
  • Comprehensive, tamper-proof audit records should be maintained on the “who, what, and when” of access.

Consider using a password manager

To combat cyber-threats, proper password management should become a way of life. But taking a manual approach to password management would be cumbersome, error-prone, and ineffective. To help enforce password management best practices, consider using a password manager like ManageEngine Password Manager Pro.

Password managers generate strong, unique passwords and securely store all your logins and passwords. Let the Heartbleed bug serve as an eye opener and encourage you to do away with the dangerous practice of password reuse. Now is the perfect time to start proactively protecting your passwords​.

Bala
Password Manager Pro – Quick Video Free Trial Download White Papers Success Stories

  1. ezella gatzke

    How can I get on the site or page so I can change my password?

    • Hi Ezella. What product or site are you referring to?