A few years ago I put out a series of posts on how to drastically increase your online security. Then I assembled that list on my Online Security page.
The reason I wrote the series of posts is because I found the conversation about online security was too technical for the very people than needed to hear the message the most. My goal was to go deep into the topic, explain the problem simply and then provide steps one needed to take to be more secure.
And although I’m guessing a few of my blog readers followed those posts and now have a more secure online presence, I know of no one that I personally inspired to take action. Maybe I didn’t make it simple enough? Maybe people just don’t care that their online accounts are secure? Or that people are just too lazy until the moment they are hacked and forced to take action? I don’t know.
Yesterday a brand new security flaw was discovered called Cloudbleed. The article Cloudbleed bug: Everything you need to know provides a good overview.
Services like Cloudflare help move information entered on those “https” websites between users and servers securely. What happened here is some of that secure information was unexpectedly saved when it should not have been. And to make matters worse, some of the saved secure information was cached by search engines like Google, Bing and Yahoo.
So it could have been a username or a password, a photo or frames of a video as well as behind-the-scenes things like server information and security protocols. At this time, there is no indication that any of this information was accessed by hackers.
The article advises that users change their passwords for sites that use Cloudflare and they link to a tool that will help you discover if they do.
I think their advice is solid for me, but not enough for the vast majority of internet users.
Why?
Because I use a Password Manager and I know with 100% certainty that I do not reuse a single password. Most users that I know reuse passwords all the time. So if the hackers got your FitBit, Medium or OKCupid password – remember we don’t know what they hacked at this time – what is to stop them from attempting to use that password to access other sites not affected by Cloudbleed? Nothing.
Let us imagine a hypothetical situation where hackers collected hundreds of thousands of usernames and passwords to various sites on the internet. They could use this data to attempt to access your email and/or financial sites on the hopes you use the same username and password.
So not only do you need to change the passwords of sites affected by Cloudbleed, but any sites that share the same username/password combo as a site affected by Cloudbleed.
I use LastPass and it warns me if I attempt to reuse a password. So I don’t. If one site gets compromised, the damage is contained. People have told me it is too much work to update all their passwords. Whatever. I think the piece of mind is worth it. Yes there is a time commitment to set everything up, but afterwards it is much easier to manage and respond to new security threats.
Brock in HK
Feb 26, 2017 — 4:54 am
You can count yourself among the influences on me. I don’t think it was one thing, but the constant drip drip of news, plus a bit of practical advice and some advertising / reminding / endorsing in the right place can spur people to action.
I’m not as buttoned up as you are, but this may nudge me in the right direction.
MAS
Feb 26, 2017 — 10:17 am
@Brock – Glad to hear that I’m not talking to myself on this topic.
Although to many Online Security might seem like a topic not suited for this blog, I see it as a further extension of the larger topic which is managing risk. Exercise, diet, etc.
Tim
Feb 26, 2017 — 10:31 am
I predominantly read you blog for the nutrition/exercise articles – but yes you inspired me to use a password manager. So words not wasted. Thanks. Tim.
Gokhan
Feb 27, 2017 — 5:31 am
Hi MAS, I’ve got a password manager thanks to your blog post (Dashlane).I knew it would make my internet presence more more secure but I underestimated the convenience it gives. A very worthwhile investment! Thank you.
I think some people fear the fact that your passwords get stored in the cloud.
MAS
Feb 27, 2017 — 1:18 pm
@Gokhan – Excellent.
Yes. It took me a while to fully setup and harden my weak passwords, but once I did I started saving time. No more “email me my password” or spending extra energy trying to remember several passwords.
MikeTO
Mar 3, 2017 — 4:14 am
I suggest you back up your lastpass passwords if anything goes wrong you have backups.