As CTO, my scope of operations can be fairly broad. Sometimes it involves exploring the latest technologies. Last week it involved annoying everyone in the company with demands that they change their passwords on various web sites and services, based on the latest information on the Heartbleed vulnerability.
I assume by now you’ve heard about Heartbleed. If not, please look it up – it really is one of the worst security flaws to ever hit the web. Right now the Internet is divided into three kinds of web sites:
- Sites that were not and are not vulnerable – most banking and e-commerce sites fall into this category, as does Salesforce.
- Sites that were vulnerable and have been patched
- Sites that are still vulnerable.
It is imperative that you change you passwords for any site in the second group, and any site in the first group where you use the same password as on the second or third group.
It’s best to avoid using the third group completely. If you do change a password on the third group, be sure to use a password that is not used on any other site (you should assume that this password can be stolen).
As for changing passwords? Everyone knows you should use a different password for every site (even though most people don’t). You really should, and use a password manager like LastPass or KeePass to keep track of them.
Everyone also knows that you should choose a strong password. What many people don’t realize is that the best way to make a password strong is to make it long. Mixing upper and lower case and punctuation into a password makes it hard to remember, but doesn’t provide nearly as much security as making your password 20 characters long.
Now this is a marketing blog, so consider this challenge – what kind of marketing campaign would you design to convince people to start using very long passwords, a different password on each site, and use a password manager? And how would you convince them to start doing it today?
Bonus points if you can convince yourself…