The Heartbleed Bug: How to Mitigate Risks with Better Password Management
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
As the dust begins to settle down on the Heartbleed bug, it is time to critically assess the password management practices in your organization. After all, password management is the foundation for information security, but that security is threatened by the deadly combination of the Heartbleed bug and password reuse. Reinforce the foundation with the tips below for meticulously reviewing and revising how your organization stores, shares, and uses passwords.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The Internet is exploding with stories on the Heartbleed bug, which is considered the mother of all security vulnerabilities. With this kind of information overflow, you are probably too familiar with the bug. After nearly two weeks of security warnings, concerns, impact assessments, predictions, and interpretations, the dust is settling down.
In the deluge of information, it's easy to ignore the most important aspect of the threat posed by the Heartbleed bug – password management. Why is password management Heartbleed's most important aspect? Because improper password management practices, when combined with Heartbleed, make a deadly combination that could be disastrous for organizations and individuals alike.
The Heartbleed bug and password reuse: A deadly combination The Heartbleed bug — the serious flaw in OpenSSL's TLS implementation — became widely known on April 7. The bug had been around, unidentified, for nearly two years, and it is not known if the bug had been exploited against any web application anywhere. So as a precautionary measure, most vendors suggest you reset your passwords after they patch applications and fix the vulnerability at their end. By now, you must have been swamped by vendor advisories prompting you to change your passwords.
When you receive a Heartbleed advisory from a software application provider, you're likely to change the password for that application or site and feel secure. But the harsh truth is that the rest of your online life could still be at risk. This is because most of us tend to use the same password on all websites and applications.
So let's say a hacker succeeded in cracking your password by exploiting the Heartbleed vulnerability in one site or application. If you rely on the same password to protect all of your online accounts, then the hacker actually obtained the ‘master key’ to access all of those accounts – even those that are not vulnerable to Heartbleed.
Following are some high-risk scenarios:

- You are using the same password everywhere, including social media accounts, web applications, service portals, bank accounts, and online financial accounts. A password harvested by exploiting the Heartbleed bug at one place could give the hacker access to all your other accounts and lead to draining your bank account.
- An employee of your organization has used the same password for personal and social media accounts as well as work-related web applications, email, and VPN. Data exposed at just one site compromised by the Heartbleed bug could invite hackers to your organization’s doorstep.
- IT resources and web applications should be assigned strong, unique passwords. Password reuse is disastrous and should be strictly avoided.
- Administrative passwords, which grant unlimited access privileges to the IT assets, should never be stored in plain text in volatile sources like post-its, spreadsheets, printouts, and text documents.
- Users should get access only to the passwords of the specific resources that are necessary to perform their work.
- When passwords are to be shared with others, the sharing mechanism should follow a proper workflow that includes 1) approval mechanism for password requests, 2) time-limited access, and 3) automatic reset after usage.
- All passwords should be changed at periodic intervals. The organization’s IT policy should be enforced.
- Access to sensitive accounts should be granted without revealing the underlying passwords. In other words, users should be able to access the resources without seeing the passwords in plain text.
- All activities done by the users on highly sensitive resources should be video-recorded and monitored. Any suspicious activity should be terminated.
- Comprehensive, tamper-proof audit records should be maintained on the “who, what, and when” of access.
Password managers generate strong, unique passwords and securely store all your logins and passwords. Let the Heartbleed bug serve as an eye opener and encourage you to do away with the dangerous practice of password reuse. Now is the perfect time to start proactively protecting your passwords.
BalaPassword Manager Pro – Quick Video | Free Trial Download | White Papers | Success Stories
How can I get on the site or page so I can change my password?
Hi Ezella. What product or site are you referring to?