Beyond Heartbleed: Why you need a password manager
Password managers can make juggling numerous Web site accounts a lot easier, especially when faced with a major security bug like Heartbleed.
RoboForm, LastPass, and other password managers would not have defended your individual passwords from the Heartbleed bug. But they make the cleanup process a whole lot easier.
Revealed last week, Heartbleed is a flaw discovered in certain versions of OpenSSL, open-source software that uses SSL (Secure Sockets Layers) to encrypt and protect your private information as it connects from one place to another across the Internet. CNET offers an FAQ with more details about the Heartbleed flaw and advice on how to protect yourself from the bug.
How do you know if one of your password-protected sites is vulnerable? Heartbleed checkers from LastPass and Qualys let you type a specific Web site to see if it is currently affected by the bug. CNET also compiled a list of top sites across the Web and checked to see if the Heartbleed bug was patched. Many Web sites, even those that have patched the hole, have urged their users to change their passwords, at least to be on the safe side.
But assuming you have accounts at multiple Web sites potentially affected by the flaw, is there an easy way to change them all? Well, that's where a password manager would come in handy.
OK, what exactly is a password manager? Programs like RoboForm and LastPass perform a few tasks to take the pain out of juggling all of your passwords. They can generate complex passwords that are hard to crack. They can automatically fill in those passwords at all your Web sites so you don't have to remember or write them down. And they maintain a list of all your password-protected Web sites.
No, password managers by themselves would not have protected your passwords from Heartbleed. But they can take you exactly where you need to go to change those passwords.
I'm now changing passwords on several Web sites with help from RoboForm. To do that, I simply open RoboForm's list of my accounts and aim it toward a particular Web site. RoboForms automatically logs me in by entering my current username and password. I then use the site's own process to change my password. After changing the password, RoboForm automatically stores the new password.
Without RoboForm, the job of tracking down all of my Web site accounts and passwords would be a major headache and even more of a time suck.
Okay, but password managers typically store your log-in information online. Isn't that risky? And weren't their own sites vulnerable to Heartbleed?
In a blog written last week, RoboForm said that its site was not affected by the Heartbleed flaw as it used a different version of SSL than the one susceptible to the bug. Bill Carey, marketing vice president for Siber Systems, which sells RoboForm, told CNET that the site has since updated its OpenSSL software to version 1.0.1g, which rolled out last week with a fix for the Heartbleed bug.
In its own blog, LastPass acknowledged that it was "vulnerable" to Heartbleed since it ran the affected version of OpenSSL. But it said that it employs extra layers of security to encrypt data before that data is even transmitted using SSL. LastPass also uses a feature known as "perfect forward secrecy," which changes security keys so that past and future traffic can't be decrypted even if a particular security key is obtained.
Aside from Heartbleed, should users of password managers be concerned about entrusting all of their log-in information to one single product?
"I think it's a 100 percent valid concern," Carey said, "and quite frankly if I didn't work here, I'd have the same concerns. It's valid for that to be everyone's No. 1 concern because you're giving up a lot of personal information that, if misused, potentially could be dangerous to people."
In response, Carey outlined two measures that RoboForm takes to secure your data.
First, any data stored and transmitted online is encrypted. The information is also housed on servers protected by passwords and firewalls.
Second, products such as RoboForm and LastPass urge users to create a master password to encrypt and protect all of their log-in information. That master password is stored locally and is known only to you. Even if your log-in data were compromised over the Internet, no one should be able to uncover your actual credentials without that master password.
Of course, users need to ensure that the master password itself is complex enough to resist hacking. But remembering one complex password is certainly easier than trying to remember dozens of them.
RoboForm also offers a Desktop version of its software that does not store your log-in credentials online and keeps them local to your computer.
In an online world where we juggle numerous Web site accounts in the face of security hazards, there is no perfect way to manage your security. But password managers can make the process a lot easier, especially in the wake of a major security bug like Heartbleed.