OpenSSL Heartbleed Bug: Idea For New Password Management Protocol

Home » Blog » Web » OpenSSL Heartbleed Bug: Idea For New Password Management Protocol

On 07 April 2014 a very serious OpenSSL bug with the colourful name ‘Heartbleed‘ was disclosed. You can read more about this bug here, here and on the blog of the Chuck Norris of cryptography, Bruce Schneier. You can check here if your website or a service you’re using is affected by this bug.

Suffice it to say that the consequences are as severe as can be for most of the core services of the Internet. GitHub, Google, Facebook, Dropbox, Evernote, Tumblr, to name but a few. Most of those services we love to use everyday are affected by this bug meaning that you have to change each and every one of your passwords and API keys for these services as soon as possible. You’re lucky if you’ve already been using a password management tool such as 1Password or LastPass because this likely means you already have distinct, automatically generated passwords for each website.

Nevertheless, I feel like I have been doing nothing but changing passwords and cycling API keys the last few days (and more to come). Changing passwords manually for numerous websites and – where possible – enabling 2-factor authentication for extra security is a bloody hassle, to say the least.

This is why I had the following idea: Why can’t we have a new protocol that deals with this stuff automatically? Websites could offer an endpoint that allows password management tools to periodically check if there was a security breach or – as in this case – a security hole in the software infrastructure and automatically negotiate security settings and update passwords accordingly. This certainly is just a rough description but I hope you get the idea. Actually implementing and promoting such a protocol would require both serious engineering effort and widespread adoption by websites and important Internet services.

Nonetheless, I think the benefit of such a solution would be huge both in terms of time saved and as to improving the overall security on the Web. So, 1Password and LastPass: If you’re reading this please feel free to steal this idea!

Leave a Comment

* Checkbox GDPR is required

*

I agree

By continuing to browse the site you agree to our use of cookies. Privacy Policy

Privacy Preference Center

Strictly necessary

These cookies are necessary for the site to function.

PHPSESSID: Preserves user session state across page requests.

__cfduid: Used by the content network, Cloudflare, to identify trusted web traffic.

PHPSESSID
__cfduid

Preferences

Remembers the user's submitted data when a comment is submitted in a blog post. The purpose is to aut o-populate form fields for subsequent comments, in order to save time for the user.

wfvt_#

Statistics

Statistic cookies help us to understand how visitors interact with our websites by collecting and reporting information anonymously.

_ga: Registers a unique ID that is used to generate statistical data on how the visitor uses the website.

_gat: Used by Google Analytics to throttle request rate.

_gid: Registers a unique ID that is used to generate statistical data on how the visitor uses the website.

collect: Used to send data to Google Analytics about the visitor's device and behaviour. Tracks the visitor across d evices and marketing channels.

_ga,_gat,_gid
collect

Security

We use Wordfence to secure our website against hacking attempts: https://www.wordfence.com/

wordfence_verifiedHuman

Close your account?

Your account will be closed and all data will be permanently deleted and cannot be recovered. Are you sure?