Security, Passwords, and Opportunity
In light of recent events with Heartbleed OpenSSL vulnerability , now would be an excellent time to not panic, and to take the opportunity to think about your current security settings.
If you haven’t done so yet, please read our announcement about the Heartbleed vulnerability. It contains specific notes on what to be aware of, actions we’ve taken, and actions you might need to take to secure your site.
One of the interesting effects of the Heartbleed vulnerability is that a malicious party could have accessed a variety of information, including passwords and certificate keys, and due to the nature of the vulnerability, it would leave no trace of their efforts. You will see many sites claim “ We have no evidence that you have been compromised ”—this is true, since if you were compromised, no one would be able to tell. We are continuing to monitor our systems for suspicious activity.
That said, there are two quick steps you can take to ensure better security:
- If you have set up host mapping for your domain (support.mysite.com), follow the steps outlined here to update your SSL certificate as quickly as possible.
- Reset all the passwords you use online—after the site has updated their SSL certificate. If you'd like to verify that a site is not vulnerable to the Heartbleed exploit, you can do so here .
Can we be honest?
Passwords can be a pain. When you have a great password, it’s annoying to have to come up with another one for every site you use, right!?
I know you are awesome about your personal password policy, but let’s just say. . . we all know. . . someone else. . . who has either:
- Written passwords on a Post-it note, piece of paper, or a text file on your computer or somewhere online
- Reused an old password
- Used the same password on multiple sites
- Used a basic password
- Used a relative’s name, social security number (or part of one), birthday, etc. in the password
- Not rotated password(s) on a regular basis
I’ll admit it — I’m guilty of at least one (or more) of the above maneuvers.
That said, I’m taking advantage of this day to declare Password Amnesty— it’s time to start fresh, and do it right .
What does that entail?
- Have a unique and super strong password for every site/login you manage
- Never share logins with other people/users
- Never reuse passwords on multiple sites or use a password from your past
- Change all of your online passwords--now that a few days have passed, most sites have renewed their SSL certificates and are no longer vulnerable, so now is the time
How can I force all of my users to change passwords?
- The ideal option is to use Single Sign-On, where the users are stored in a remote database. If you do so, it’s a trivial matter to force a password change on the next Login there for all of your users.
- If you are using Native Zendesk Authentication , an upgrade or increase in password strength of the password requirements will force a change within 5 days . This article contains steps for how to set the security level of your Zendesk.
- If you’d like to force a password change for all of your users , we would be happy to help you out. Simply send us a request authorizing us to reset all of your passwords and active user sessions. We’d be delighted to help.
Bonus Round: Better Passwords
With security, the greater the level of complexity, the greater your security:
If you’d like to have some great passwords generated for you, simply visit this page . In addition to having great passwords generated for you, it has a wealth of information on Password strength and security.
That’s nice, but I can’t remember THAT !
Password management (particularly if you're using really great passwords) can be a sticky situation—If you’re not using a great Single Sign On provider with two-factor authentication like Google , OneLogin , or many others, you might want to look into using a great password manager like:
They will allow you to:
- Generate super strong passwords
- Manage passwords in a secure central repository
- Access passwords on your desktop and mobile device
- Enable you to remember just one password , but have super strong passwords generated for all of your other sites