All organizations need to be thinking about the future of user authentication and the heavy reliance on passwords which may be on the brink of change, and Heartbleed may have been the catalyst.
By now we are all familiar with the Heartbleed bug and OpenSSL vulnerability, but the fallout from the breach of information Heartbleed caused is only just beginning. Just about any password used online in the past two years could have potentially been compromised while many organizations are still working to repair encryption systems and put out the fire.
The OpenSSL encryption technology is used by many organizations to protect data such as passwords, credit card numbers and personally identifiable information provided by users online. Exploiting a memory handling bug in the OpenSSL protocol, Heartbleed could compromise encrypted data and lead to the breach of session cookies, passwords and even the secure web servers’ private keys.
The vulnerability has existed since March, 2012 and was not announced until April 7, 2014, the same day a patched version of OpenSSL was released. It was estimated that at the time Heartbleed was publicly disclosed, 17 percent of the secure web servers certified by trusted authorities were vulnerable to the attack. Right now Heartbleed can really only be discussed in terms of its potential impact, but it has the potential to be one of the worst internet exploits of the information age.
Many consumers and organizations have already been affected by Heartbleed, but this is mostly in response with precautionary measures, and things could become much worse. Many consumers, although surely not enough of them, have changed their passwords in response. Many organizations have also forced password changes for all user accounts. Also keep in mind that over 500,000 SSL certificates were affected by Heartbleed and need to be replaced. As organizations rush to fix the encryption systems on more than half-a-million websites at the same time, security experts are predicting significant internet disruptions to occur over the next few weeks.
Some of the most significant implications around Heartbleed are related to consumers and their passwords. Millions of passwords, as well as other pieces of PII, could potentially have been compromised over the past two years. Many consumers who don’t understand, or even know or care about Heartbleed, will continue to use these passwords for years to come. But the list of major sites affected by Heartbleed include social networks, email providers, financial institutions, cloud services, dating sites and more.
Organizations have known for years that passwords are inherently weak, but Heartbleed has the potential to finally force organizations to do something about it. Many major online companies, including social networks and alternative payment providers, already offer 2-Factor Authentication options that consumers can choose to setup. Expect more companies to consider 2FA or other measures to make user authentication more secure, and some organizations may even require 2FA rather than just offering it as an option for more security conscious consumers.
It may be that the potential of the Heartbleed vulnerability was never exploited on the grand scale it could’ve been, and that while many passwords could have been compromised over the past two years few actually were. Even if this is the case, Heartbleed has at least left many organizations “Scared Straight” realizing just how fragile password authentication really is. All organizations need to be thinking about the future of user authentication and the heavy reliance on passwords which may be on the brink of change, and Heartbleed may have been the catalyst.
For more information: