Heartbleed Bug Information

Body: 

The Heartbleed fault continues to get a lot of attention. This is a major fault in a critical security area of the web that affects commerce and password security for millions of people. Here are some important things to know about this problem:
1. The problem is a fault in certain versions of OpenSSL on secure web sites. It is not something that is user related.
2. While this fault makes passwords, credit card numbers and other very sensitive information accessible on affected servers there are no clear indications that this has been exploited.

For current UH System Information see http://www.hawaii.edu/infosec

PASSWORD INFORMATION

First of all primary UH systems (Banner, PeopleSoft, KFS, Laulima and UH Web Login) were not affected by Heartbleed so you do not need to change your UH Web Login password. If your password for UH Web Login does not meet minimum standards (see below) it should be changed immediately.

There are a number of useful lists and tools to assist in determining sites that it is both safe and necessary to change your password. No single list is the answer and you should check several to be sure you know the status of the patch for OpenSSL as well as the replacement of the PKI security certificates for that site. Two very useful lists are http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/ and https://lastpass.com/heartbleed/. We will say more about LastPass in a minute.

To begin using safe passwords you need to know the rules. UH Web Login passwords comply with the current standards and are a good guide. We are applying the UH System password rules to our new honolulu.hawaii.edu campus domain that also gives you access to Office 365. Here are the rules:
1. Must be 8-32 characters long
2. Have at least one upper case character
3. Have at least one lower case character
4. Have at least one numeric character
5. Have at least one special character.
note: (, ), ", and : are not allowed
6. New password cannot be the same as the old password
7. If you use a regular word, your new password will be rejected.
The hard part is that you should use a new password for every site. And the usual recommendation is to use a phrase that you can remember with numbers and symbols replacing specific letters. But that soon leads to password exhaustion and you use your one good password everywhere. That is very much like Russian roulette. One cracked password and everything may be gone.

There are other options to save your sanity. As noted above LastPass is one of the best of the current password managers. These build a secure library (password vault) that automatically shows up on each login on each of your systems. Enter your master password (that one good one you carefully built above) and that is all you need. You can tell LastPass to create a new, compliant password for each site and it will remember the password for you. LastPass also does security checks on the sites you use and monitors your security level based on your passwords. Now is a very good time to learn the tools of security management and LastPass is one of the best of those tools. You can put LastPass on each system for free (there is a premium version with extra features) but the free one is all you really need. There are versions for your tablet and phone also but those have a small annual fee but they all synchronize together.

One last suggestion to help you get control of the growing information security monster that we are struggling to tame. If you sign up for a new web site account and are offered Two Factor Authentication please say YES. This is where we are going and all parts of UH ITS (us included) will begin requiring this in the near future for sensitive information. This can also help you sleep at night as more and more of our lives are dealt with online. Two Factor Authentication adds a second step to logging in so you only want to use this with sensitive information. There are several ways this works but the most common and easiest is adding your mobile phone number to the login as the second factor. When you set this up you will be asked for your phone number and a message will be sent to your phone for validation. You enter the message (usually a number code) as part of the login and you are secure. For anyone to gain access to your account they need to have both your password and your phone. Much, much better.