The word on people’s lips at the moment is Heartbleed, and it is important that everyone who has an online account pauses to take stock.
Have you received an email from a social media site urging you to change your password recently? Maybe you’ve seen this webcomic from XKCD, and wondered what it was all about…
According to the Heartbleed website, the Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. What does this mean? A great explanation can be found here; but essentially, the code that protects information which is sent back and forth from your computer to a website has an error in it, which enables a hacker to access not just the minimum amount of data that is usually sent, but possibly a lot more; like passwords and personal information.
Another way of understanding it is by using an analogy like this:
You live in a high crime area. You return home one night and realise the garage lock is broken. It appears to have been broken for some time. You can’t tell if anyone has been in the house, but you realise that you left a letter from your bank on the dining room table. If someone had been in the house, they could have taken a copy of it, and may use it to rob you at a later date. You decide to contact your bank, just to be safe.
Mashable has used their considerable reach to contact many of the most popular websites to see if their services may have been compromised, and published a list of sites which may be vulnerable to the Heartbleed bug; you will be surprised by how many you probably use every day.
Why is this a wake up call?
Let’s face it, we all have many online accounts these days, and we may not always take the best precautions when creating passwords, or managing them. Between email accounts, work intranets, social media accounts, online banking, online shopping and more, when you think about it, you will probably be surprised by how many online accounts you actively manage.
Some people handle this by using the same password for every account. Others by writing every account down in a notebook. The worst way is by using sticky notes which attach to your computer screen. Not only do practices such as these put your own data at risk, if you are an educator or parent, it also models very poor security to your students or children.
While topics such as cyberbullying and internet addiction get a lot of media coverage, it is little things, like password management, which are so very important, and yet so easily overlooked. Practices such as the teacher openly sharing a password with students, or publicly consulting a written list of usernames and passwords do nothing to promote good security behaviours to students.
Using a password manager such as Keepass or Lastpass or Dashlane, makes it easier to manage multiple passwords; teaching students about tools such as these is vital. With increasing numbers of services being delivered online, internet security, and having solid strategies for protecting personal information through the use of strong passwords is an absolutely necessary part of the knowledge set every individual needs.
One of the most important lessons students need to know; never enter your password anywhere except in a secure password manager and into the site which actually requires it; sites that allow you to enter your password to test its strength may not be secure – even Intel’s password checker site has been questioned. Tools which are installed on your computer, such as Keepass, allow you to test your password strength in a safer environment, and even better, will generate passwords randomly.
A terrific series of lessons on password security is available on the Common Sense Media website here: http://www.commonsensemedia.org/educators/lesson/strong-passwords-3-5
Although it links to the US Curriculum, the links to the Australian curriculum are clear: in the Information and Communication Technology (ICT) capability, it quite clearly states that by Year Four, students should be able to apply digital information security practices – making specific reference to the development of secure passwords.
This content is no longer an optional extra for students today – and bugs like Heartbleed are reminders of this for all of us.