Internet security experts are suggesting that we change our online passwords because of the Heartbleed bug, the one where the “https” system with the little lock proved to be insecure.
They're suggesting that we change them again soon, because sites where we make changes this week may not have installed a Heartbleed fix yet, rendering changes useless.
I change my passwords regularly, but I haven’t done it in a big batch before. Doing it in a batch has highlighted some things — sometimes they're irritating — about how sites handle passwords.
It can take a moment to find the right link to click for a password change. That link might be hidden under semi-logical labels like Administration, Your Profile, and Settings. There's no standard approach: every site has its own design and terminology. TD Canada Trust thoughtfully has its change password link on the sign-in screen.
Sites I’ve checked demand at least seven characters. But to complicate things, some want a mix of capitals, lowercase, numbers and special characters such as & and %. Some sites reject special characters. But the era where a site would only accept a password with eight characters or fewer seems to be over.
I figured out my new passwords, a different one for each site, before signing in to make changes. Trying to create them on the fly while facing the password-change form can lead to confusion and lost passwords. I know this from personal experience.
One site, B.C. Hydro’s, refused to accept my change, claiming that I had not typed in more than seven characters. I am certain that I did. I’ll try again.
Entering new passwords can be ripe for error because you usually only see dots as you type. You can lose track if you're trying to enter a 20-character password. Some sites, such as Yahoo’s, have a checkbox to reveal what you’re typing. You can sometimes cut-and-paste into a password-change form.
While you can change passwords once you find the right link, changing a user name is another matter. A lot of sites don’t seem to offer that option.
Once you change a password, the site should send you an email confirming the change. That has been the case for all my changes.
Many sites are beginning to post notices about whether they were affected by the Heartbleed bug. Many others are leaving it to us to guess.
Heartbleed testing sites have appeared, offering to check https URLs to see if they are vulnerable. I can’t vouch for whether they really work.
https://lastpass.com/heartbleed/
- - -
The most high-profile Heartbleed impact in Canada has been the tax agency’s decision to shut down its online services, including Netfile, until at least the weekend.
Tax agency pulls plug on e-filing amid worry about bug
On Thursday, Canada Revenue Agency had a notice up explaining its decision.
Update: Canada Revenue Agency reactivated its online services on Sunday, April 13. The tax filing deadline, originally April 30, has been extended to May 5; the extension is equivalent to the number of days the services were taken offline.
- - -
At nytimes.com: Flaws call for altering passwords, experts say
Schneier on Security says the problem is an 11, on a scale of 1 to 10. Security scholar Bruce Schneier expresses this concern: "If nothing really bad happens -- if this turns out to be something like the Y2K bug -- then we are going to face criticisms of crying wolf."
- - -
- - -
Most-read posts:
How Saanich residents can recycle their unwanted garbage cans
Flying business class is not the same as first class
Energy efficient light bulbs are finally worth buying
How to pronounce Ucluelet, Tsawwassen, and that outdoor gear place
How I like to make popcorn (cautiously) on a stovetop
Vancouver to Toronto by train: enjoying the journey
- - -
