Have you changed your password lately? If not, maybe you should.
There's a hole in the Internet where all your passwords could be sucked out at any moment, along with your confidential information and perhaps your bank account. This hole, exploited by a bug known as Heartbleed, could affect hundreds of thousands of websites, we're told. The Canada Revenue Agency is so concerned that it shut down its online service to keep out malicious hackers. Bruce Schneier, a U.S. cryptographer and security expert, has described Heartbleed as "catastrophic." On a scale of 1 to 10, he warned, "this is an 11."
So what should we do to protect ourselves? Security experts disagree. "Change every password everywhere," advised one. Others say to wait until the flaw is fixed. Others say you should change your passwords now, then change them all again next week.
I know I should do something. But what? My passwords are a mess. I have dozens of them and I've forgotten all but two or three. I know there are password programs I'm supposed to use, but I'm too lazy. Instead, I just write down my passwords in the back of my appointment book (when I remember). I know that's a no-no. But it beats writing them on my hand.
I admit my password hygiene is pathetic. All my passwords are derived from a now-defunct cat I'll refer to as Fred. There's freddie1, 321Fred, derF123 and so on. Fred was unforgettable because when he and I moved in with my future husband, he started peeing in my husband's shoes. One of them had to go, and it was Fred. But I like to think he lives on in cyberspace.
My husband is no better than I am. In fact, he doesn't even bother to write his passwords down somewhere. What if someone burgles the house and steals his list? he asks. But I know that's an excuse. He's as lazy as I am.
Needless to say, our laziness causes quite a bit of inconvenience. Whenever he forgets a password, which is all the time, he has to click on the link that says "Forgot password" so he can get another one sent. It's always something like tNof#389aqX14, which is excellent from a security point of view but hopeless if you want to remember it next time. Sometimes, if he has to answer a security question – something like "What was the name of your first-grade teacher?" – he gets completely stalled because he can't remember that either. In which case he has to start all over and sign in as somebody else.
As you can tell, my husband and I don't have a very good grasp of password management or cybersecurity. We are low-tech people in a high-tech world. But you probably are, too. This means that even the most basic understanding of how stuff works – stuff we rely on every day to keep our lives going – is increasingly beyond our grasp.
Most of us can understand what's gone wrong when a bridge falls down. And we usually know who to blame. If the car won't start, most of us can speculate why. But without an advanced degree in computer science, nobody can understand the inner workings of the Internet. When something goes wrong, we are as ignorant as cavemen gazing at the sky and wondering what causes thunder and lightning.
In a world of complex and incomprehensible systems, we trust that wise people will protect our interests and keep us safe. But this trust is misplaced – in the case of the Internet, there's nobody there. As Craig Timberg of The Washington Post writes, it's "inherently chaotic, built by multitudes, and continuously tweaked, with nobody in charge of it all." Giant companies rely on free software that's often built by volunteers. In the case of Heartbleed, the flaw is embedded in a piece of free encryption software called OpenSSL, which is maintained by a handful of programmers who rely on donations. Last year, they got $2,000. According to The Wall Street Journal, only one person works on the project full-time.
"We have decided, as a society, to rush headlong into a world ruled by digital devices, continually weighing convenience versus safety," writes Farhad Manjoo in The New York Times. "We're constantly storing more of our important information on more new kinds of hardware run by more complicated software. All of it is increasingly interdependent, which makes the whole ecosystem more vulnerable." Another way of putting it is that the Internet is the Wild West, with no sheriff but lots of increasingly crafty and aggressive bandits.
Which brings me back to the weakest link: us. As hard as I try, I can't really get my head around cybersecurity. I really don't want to replace 321Fred and the rest with a soulless and totally unmemorizable string of symbols like tNof#389aqX14.
But I suppose I'll have to – especially if I sign in to my bank account one day and discover that some piece of malware has wiped me out. Sorry, Fred. I'm afraid your day is done.