May 15, 2014

Heartbleed Was Scary, But Did Anything Change?

Dubbed the “ultimate web nightmare”, Heartbleed was arguably the biggest security issue to hit the Internet in recent years. Heartbleed caused wide concern because affected websites were vulnerable for some two years, an attack to exploit the bug and gain access to sensitive information is shown to be undetectable, and the affected version of OpenSSL was used by some two-thirds of the web.

For several days, news of Heartbleed and the risks it posed dominated the press. Consumers were advised to update passwords as soon as websites announced they had pushed updates to patch Heartbleed. So Heartbleed caused quite a stir (and a fashionable one at that, given that it’s the first security vulnerability to have its own logo).

But the question remains: Did anything actually change? Do we as consumers have a better grasp of the risks to our data online and how to start better protecting it?

Statistics from a recent Pew study show that despite a large percentage of Internet users hearing about Heartbleed (ranging from 47% in one study by LifeLock to 64% in the study by Pew) less than half of those informed consumers took action to change passwords. Another study by Software Advice echoed similar findings, showing that some 67% of Internet users haven’t changed passwords after Heartbleed. Perhaps the more alarming statistic was that over 75 percent of respondents say they’ve received no advice about Heartbleed in the workplace, despite showing willingness to cooperate if they were asked to change passwords.

In summary - some took action after Heartbleed, but not nearly enough, given the breadth of Heartbleed. In addition, businesses are not taking the responsibility they should for educating their employees and empowering them to protect both corporate and personal data.

So What’s To Be Done?


For consumers and for businesses, Heartbleed is an opportunity to prioritize security. Every day that passes in which passwords for critical accounts are not updated to stronger ones, and in which bad password practices are permitted to flourish, is another day in which consumers and businesses leave themselves exposed to costly breaches.

Businesses need to create an action plan prioritizing the implementation of password management, and the mandatory change of critical passwords. Any efforts to change passwords will not be effective if a system is not in place to help employees manage strong passwords. Getting a system in place is a critical first step, then education should be an ongoing, regular effort. If you’re ready to get your company’s passwords organized, try LastPass Enterprise: LastPass.com/Enterprise

Consumers need to manage passwords with a password manager, and use actionable data like that in the LastPass Security Challenge to prioritize updating passwords. By using a tool that creates strong passwords and remembers them, following online security best practices is easy.

Have you changed your passwords because of Heartbleed? Have you had opportunities to educate others about password management and why its important after Heartbleed?