Now that the freak-out from Heartbleed has somewhat subsided and the key sites have [hopefully] been patched, the issue I’ve been thinking about more is how this changes my approach to passwords.
In short, I can never use the same password for more than one site. My hard-core security colleagues will beat me about the head and shoulders for doing this in the first place but hey, once I established a strong password it was easy to use it, or variations of it, at multiple sites. Can’t be lazy and do that anymore.
I’ve also been thinking about how this extends to the enterprise.
While most enterprises have long standing and good password policies… such as a minimum of 8 characters and a mix of upper and lower case letters with at least one number, which change every 90 days or so… what happens when an employee decides to use their compliant and strong enterprise password at a consumer or other site that was impacted by Heartbleed?
Assuming the other site has been compromised, now there’s a chance the enterprise can be accessed with the hacked user’s legitimate credentials. Yes, I know this may be a stretch but it’s still a possibility.
More importantly, this presents an opportunity for IT leaders to inform and educate users on managing their passwords more effectively as well as update the enterprise password policy, if needed.
As such, I’ve been recommending to my clients that they implement an immediate password change and user education project. Just in case.
- First, communicate, communicate, communicate. Explain the situation to the users and why the password change is needed.
- Determine if the enterprise password policy needs to be updated. i.e. require the passwords to be more complex, or have them change more often.
- Implement the password change in phases or by group over a few days, unless you feel your IT organization can handle the support load and then have everyone change it at the same time.
- Provide further information and resources on good password policies for employees and recommend they use strong and unique passwords for sites used outside of work.
- Communicate, communicate, communicate.
Never miss a chance to leverage a crisis…