The Heartbleed Bug, 1Password, Watchtower, and You

April 18, 2014 at 6:58 pm (1Password, Apple, Current Events, iDevices) (, , , , , )

Anyone who has spent any time with me knows that 1Password is one of my favorite applications.  It ranks right up there with Evernote, TextExpander, and Dropbox for must-have, can’t live without applications for Mac and iDevices alike (and even Android and Windows folks are covered).  1Password has long been my go-to app for password management, secure note storage, software license info, and general account and login information. It even helps me complete online orders quickly, easily, and securely. 

 

Heartbleed logo

 There was a new bug discovered recently called Heartbleed.  This bug is of the electronic variety, not the pesky outdoor variety…although both have the potential to be particularly troublesome.  The Heartbleed bug affects most all of us in one way or another.  It has been shown to be a serious vulnerability with SSL encryption, which is used to provide security over the internet for many applications such as instant messaging, web applications, email, and some virtual private networks (VPNs). SSL is the ’s’ in https, or to break it down a little more, it is what usually keeps your information secure and is shown by the little padlock icon in your browser’s address bar.  Without getting too technical, the Heartbleed bug essentially allows the bad guys to access what the user thought was their secure data, such as account user names, passwords, and possibly even the actual content. 

 

In order to fix it and recover, the owners of the services and the service providers must patch the vulnerabilities and distribute new versions that clients will implement generally by upgrading their software. Additionally, users should change their passwords, 

 

Most everyone is affected in some way, largely because of the widespread popularity of OpenSSL. In addition to being used by many social networking sites, blogging sites, ecommerce sites, and even some government sites, OpenSSL is also used for mail and chat servers, and VPNs (virtual private networks). It is very difficult to detect because the bug leaves no trace of abnormalities in the user logs. 


Dave Teare, co-founder of AgileBits, and developer of the aforementioned awesome password management software, 1Password, released a newsletter to users to inform them of the Heartbleed bug, and to let them know how 1Password can help them defend themselves. 

 

1Password was not affected by Heartbleed because it uses a different type of encryption. The data within 1Password is completely safe.  However, you will need to change your password for any websites that were affected.   

 

1P logo

 1Password makes it incredibly easy to change your passwords. They have a terrific feature that enables you to do something called a security audit. With a click of a button, it tells you which of your passwords are weak, which are duplicates (bad!), and which are older (6-12 months, 1-3 years, 3+ years) which is especially good if you use time sensitive passwords or work somewhere that requires they be changed monthly or quarterly.  I could never keep up with the timing on those when I worked at Apple, and it never failed that I would have to change my password at the most inconvenient time.   

 

One of the most common questions after Heartbleed was publicized was, “Which passwords do I need to change?” but part of the problem was that folks didn’t know whether a particular site had patched (or fixed) their vulnerability without going to every single website for which they had an account.  Talk about a huge time suck.  I could have spent a few days just checking websites.  Then, I would have had to note which sites were fixed, and which sites I needed to follow up with if they had not been patched.  Surely there was an easier way, right?  Yep, and the wonderful folks at 1Password helped us with that. 

 

Watchtower

 Enter 1Password Watchtower. Talk about slick!  I am so loving this new feature.  It will let you know the status of the websites affected by Heartbleed.   For example, it will let you know if you need to avoid the site until it is fixed, if it has been fixed and you need to change your password (see example screen grab), or if it was never vulnerable and therefore not affected, so you don’t have to change your password for that particular site.   The danger of reusing passwords (using the same password for multiple sites) is because if you use a password on a site that was vulnerable, the bad guys could have accessed your user name and password.  Then they could go to a site that wasn’t vulnerable on its own, but they didn’t need it to be vulnerable, because you had already handed them your user name and password on one of the other sites. Does that help to better explain why it’s such a bad idea to use the same user name and password for everything?  Here is more information on the new Watchtower service.  


Cult of Mac published a very helpful article  that walks one through the process of resetting affected passwords quickly and easily.  They have also listed links to the password reset page of popular websites such as Facebook, Google, Amazon, Instagram, IFTTT, and many others. Using the Security Audit feature, you simply start at the top of the list and follow the step-by-step instructions to change your password.  Once you’ve finished with that website, just go to the next one on the list until you’ve finished all of them.  How much time it takes will obviously vary depending on how many passwords you need to change, but it really is a fairly quick and painless process.  Plus, it should go without saying that now you will have peace of mind that your login information is safe again. 

If you don’t already have it, pick up 1Password today and get started on your path to a safer online experience.  Then, next time your friends are freaking out because “ACME Data” got breached, you can say, “Meh, I have 1Password. Not worried.” and keep on watching your videos.


For more information about Heartbleed, 1Password, and Watchtower, head over to 1Password’s website.  Their terrific blog has all the latest information about things that would be rocking your world in a bad way, were it not for 1Password keeping things in balance.  Cheers!


Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: