This week’s news about the Heartbleed bug is just a sign of things to come. And the resulting hassles this is causing the same.
Having to rush and change all your passwords is nothing short of an enormous hassle. And then realizing that likely I need to do this again in a few weeks makes it worse. I tend to think these things are going to keep happening and likely will get worse. The reasons are:
- Older systems that perhaps we thought to be secure, like this situation, can in fact be exposed as insecure at any time.
- IT shops (and everyone and everything) has an enormously difficult time keeping up on patches. Patches at the OS layers, equipment firmware, database layers, various services, etc. Some vendors bundle these up and do them less frequently which then means known problems are not patched for longer. Other vendors publish new patches all the time and it is practically impossible to keep the application of patches up-to-date because they keep coming out.
- Computing power to find vulnerabilities is increasing. Brute force attacks are getting easier.
- Using higher caliber password management tools like LastPass are great and add some levels of confidence. However, they too require a lot of focused attention to use. Having to go through 100+ different online services and change each of their passwords is a chore. And these tools, like LastPass, work well with some of the sites and others not so much. It is far too easy to get out of phase on which password is valid at which site. Sometimes the password change doesn’t work right for various reasons. It is just too complicated to manage these for many people.
- Two-step authentication is a great step addition to use where possible. Lots of high-end sites now provide this level of authentication and I recommend you use it everywhere you can. However, again, for many users this is still too complicated.
There is going to be more and worse problems with wide-spread security issues. I fear that the good guys are losing.
What do you think?