Like any system, either family or computer, the Internet can have its problems. And recently a problem happened that has a relatively small impact, but could still require some action on our parts in order to keep our practices and clients safe.
The end result of this announcement is: you might need to change some or all of your passwords, depending on how you manage passwords. Read on for details.
The bug is in the servers of a company called Cloudflare, which provides Internet-related services to lots of other websites (that’s why it could impact you even if you aren’t a Cloudflare customer.) Cloudflare is quite big, but not all of their servers were affected. So some of this warning is out of an abundance of caution. It’s worth the warning, though, because if it does end up impacting someone, the results could be pretty bad.
It turned out that some of Cloudflare’s servers were accidentally dumping random bits of information out into the Internet (for lack of a better way to describe it.) The Register put it this way, “[it’s like] sitting down at a restaurant, supposedly at a clean table, and in addition to being handed a menu, you’re also handed the contents of the previous diner’s wallet or purse.” Cloudflare was accidentally taking information from various people’s online sessions and putting that information out to other parties on the Internet at random. An important piece of information in many online sessions is the password used to log in to the site.
So it looks like Cloudflare probably handed out quite a few passwords. Thus the call to change your passwords.
This bug has been fixed. It’s not an ongoing concern. The situation is more like a big accident happened and now we just need to do some cleanup to make sure everything is in working order again.
Do I Need to Change All My Passwords?
It depends. (Do I sound like an Ethics teacher?)
If you reuse the same password in a lot of places, you’re at higher risk of that password having been discovered by a bad guy in the Cloudbleed debacle. In this case, you should probably change your password on all of your sites that don’t have a unique password. And since you’ll be changing passwords anyways, consider adopting a password management program to help you do it! :)
If you have different passwords for every site, you probably just need to change your passwords for sites that were using Cloudflare. But it couldn’t hurt to also change the password on highly sensitive sites like online banking accounts and sites where you handle client info (e.g. EMR, email, etc.)
This kind of bug is one of the many reasons we encourage everyone to use different passwords on every site. Because then if your password gets compromised at one site, it doesn’t affect your other sites.
We teach about good methods of maintaining passwords and other useful “authentication” tips, along with some helpful how-to videos, in our Device Security Instruction Center.
But How Do I Keep Different Passwords On a Million Different Sites??
I’m glad you asked!
You really can’t do it without tools. Thus, I recommend password management tools like these three here:
Getting yourself accustomed to using these password storage tools can significantly improve your peace of mind. You only have to remember a few passwords, one for your storage tool, one for your computer, one for your smart phone, etc. The rest are stored in the password storage program.
One colleague even described the process of starting up with a password management program as “fun.” She said that once she got the hang of it, she excitedly starting running around and putting all her passwords in her password manager. She reported that using the Internet is actually easier now because of it.
I’ve Been Using 2-Factor Login. Does That Help?
It does! It will make any bad guys who find your passwords less likely to be able to make use of the passwords they found. So you’re less likely to get “hacked” as a result of Cloudbleed on any sites where you are using 2-factor login. So good on you for using it!
However, there’s a small-but-existing chance that the 2-factor login information could have also been compromised by Cloudbleed. So it’s still a good idea to change your password for even the sites where you use 2-factor login. Your overall risk of a bad guy managing to get in is much lower, however, than if you didn’t use 2-factor.
Please remember that even though it’s a good idea to look into the need to change your passwords, this bug doesn’t reach every site on the Internet. Good password habits help with this bug just like they do all over the Internet.
Personally, here’s what I’m doing:
- Change the passwords on sites where I have client info (my email, etc.)
- Take a bath
- Change the passwords on my online banking/credit card sites
- Nap. Possibly meditate.
- Look for other sites I use that were impacted by Cloudbleed, and change those passwords.
- See some clients.
I hope this post was helpful. Be well. :)