Earlier I posted about Heartbleed and the complete lack of account management capabilities in most websites. It appears that I am correct in my position. A report was released that said over 60% of users did not change their passwords or cancel their accounts in the wake of warnings around Heartbleed. This is atrocious and scary. This proves my point and rant around website’s continual lack of overall account management with their web services. Leaving it up to the user’s to maintain responsible account management is not going to happen. User’s either don’t know, don’t care, don’t know how, or are too lazy.
The magnitude of this vulnerability is also not being emphasized enough. Basically what Heartbleed does is make almost all of the secure encryption websites use worthless. The lock and key systems are not worth anything. This means hackers can not only access your accounts but everything on a compromised server. All of it. Some experts are saying this is the worst security failure that has happened to the internet. People aren’t listening.
I say it’s not necessarily the people’s fault. I work in IT and I know many people who consider themselves IT that I wouldn’t let them lock my garage. I put the emphasis on the websites that provide these services. The websites should have basic identity/account management capabilities built into their systems for when massive breaches happen they can put procedures in place to protect the users better than the user’s can themselves. Let me give you an example…
- Heartbleed is identified.
- My website is exposed and as a website owner I need to fix it.
- I notify the users about the risk and that I am fixing it.
- When I am done fixing it, to better protect my users, I flip a switch that forces my users to change their passwords.
My user’s are then protected when they login next. I don’t have to worry about the 60% who don’t take action. My user’s don’t have to research and watch notices when I am done fixing something.
No site I used that had the Heartbleed flaw forced me to change my password, I had to watch and wait for them to fix the problem and change my password myself. Ridiculous. That website list for me was over 30… that I knew of.
This is why hackers are successful. Not because of the breaches but because of the user’s inaction to protect their own accounts.
This problem goes beyond this, generally users of the internet have no experience or anyone telling them how to use their accounts properly. “With great power comes great responsibility” missed them I guess.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.