Security Warning Wednesday will be our thoughts about a recent information security topic and what to do to protect yourself!
Today's topic is Cloudbleed. If you haven't heard of Cloudbleed it was basically a bug in a portion of Cloudflare's code that when encountered would display random bits of information on a web page that shouldn't have been there. This could have included passwords, credit card numbers, health records, social security numbers, or customer encryption keys. In their postmortem forensics Cloudflare stated that they've found no evidence that any of that was leaked. Just that it was possible. You can read more about the vulnerability and their forensic activities here.
If you've never heard of Cloudflare, you're not alone. It isn't a service that most users would access directly. Among other things they provide performance and security enhancements for websites and internet-based content. Many thousands of companies use Cloudflare. Some of the more recognizable sites are Yelp!, Uber and Fitbit.
So, what to do? We don't want to panic and change every password at every found vulnerability but we also want to keep our data safe from would-be thieves. Ultimately it comes down to password management. I know you've heard it all before - different, complex passwords for each site.
"I can't remember yesterday, much less 200 different passwords". I think everyone can relate to this. For a long time it was "do as I say, not as I do" for me in this regard until I discovered LastPass. This is not a paid endorsement, LastPass is just a fantastic product that I've used for several years and really believe in.
Not only does LastPass store my passwords but it generates random passwords for me. It allows me to use different passwords at every site that I use. The rule of thumb for me is to generate a 25 character random passwords using uppercase letters, lowercase letters, numbers and special characters. Sometimes websites don't allow passwords that long so I adjust accordingly but it really helps.
So every morning I log in to LastPass using my Master Password and it provides the rest of my passwords for the rest of the day. Having a different password everywhere doesn't completely mitigate my password risk but it allows me to sleep a little better at night if a password is compromised because the malicious user won't be able to use my password to access all of my sites.
But what if someone gets a hold of my LastPass master password? LastPass is also protected by multi-factor authentication. That will be our topic for next week!
--Jay
