When news of the Heartbleed bug broke last week, businesses were left scrambling to fix the issue as soon as possible. However, once the vulnerability is patched, there is a critical "step two" that some users may be initiating now - changing their passwords.
The Heartbleed bug has been infecting OpenSSL versions released since March 14, 2012, meaning criminals had more than two years to exploit it and steal your passwords. That is why now, after the patches have been applied, users should change their passwords. But, instead of falling back into the old habits of "Password1234," why not start fresh and implement a strong complex password?
The 2013 Trustwave Global Security Report, "Password1" was the most commonly used password used by global businesses in 2012. Of the three million passwords our experts analyzed, 50% were using the bare minimum complexity requirements. And, weak passwords continue to be a problem. When our forensics investigators are called to look into the cause of a data breach, the majority of the time the initial point of entry is tied to a weak password.
It is time for a change and the Heartbleed bug gives us all the opportunity to do it now. Here are some helpful tips to help you create a complex password:
- Ten character minimum: Your password should be at least ten characters long.- Combination of letters, numbers and symbols: It should contain characters from at least three of the following five categories:
- Lowercase characters (a-z)
- Uppercase characters (A-Z)
- Numeric characters (0-9)
- Special non-alphanumeric characters (!, @,$, # or %)
- Unicode characters (©,±, ÷)
- Keep your username out of it: Passwords should not contain three or more characters from your account's username.
- Passphrases are easy to remember: If you have trouble remembering your passwords, you may want to consider using a passphrase such as "myD0g1sl0vable." Long passphrases make brute force attacks impractical for an attacker.
- Different account = different passwords: Do not use the same password for multiple accounts. That way if a criminal compromises one account, he cannot use the same password to compromise all of your other accounts.
Passwords once thought to be complex enough to make cracking improbable are now able to be cracked in hours or days. This requires users and administrators to rethink how they create passwords and how users are educated about password security.