FAQ on the Heartbleed Security Problem
This page contains answers to frequently asked questions about a critical Internet security flaw known as "Heartbleed." It also offers advice on how to protect private information—such as passwords, email, and credit card numbers—from being viewed or stolen by hackers exploiting the flaw. Social Psychology Network fixed the problem soon after it was announced, but the flaw is widespread enough that we suggest all visitors read the information below.
Scope of the Problem
Social Psychology Network Accounts
What is the heartbleed security flaw?
It's a problem with the security of Internet web sites and transactions that use a technology known as "OpenSSL." The flaw, which allows hackers to capture private information, has existed since December of 2011 but was only discovered two years later and was publicly announced on April 7, 2014.
How serious is it?
Quite serious. Private information such as email, passwords, bank information, Social Security numbers, and other sensitive material could be vulnerable. According to one respected security expert, "On the scale of 1 to 10, this is an 11."
Why is it called "heartbleed"?
The flaw is related to transactions in which consumer devices and websites exchange encrypted messages, known as a "heartbeat," so the security experts who discovered the flaw called it "Heartbleed."
Who is affected?
Anyone who uses the web for secure transactions (e.g., credit card payments, online banking) is at risk of being affected. Up to two-thirds of websites use this technology, including Amazon, Facebook, Google, Yahoo, and PayPal. Some companies have also reported that devices such as phones, routers, and wireless printers are affected, although it's unclear how widespread such problems are. One large technology manufacturer, Cisco, has released a list of affected products.
Can you tell from your computer whether you've been affected?
No. The flaw allows someone with bad intent to steal usernames, passwords, and other information without leaving a trace.
Is there any evidence that the flaw has been exploited?
Yes. An attacker used the flaw to break into a major corporation and steal passwords. In addition, researchers have evidence that fake data posted on the web (so-called "honey pots" designed to lure and learn about hackers) have been accessed by people using the Heartbleed bug. At this stage, however, it's hard to know what the long-term damage will be.
Are Social Psychology Network accounts safe?
Yes, as long as you change your password to something not used on other websites (if your SPN password is the same as your password on a site that hasn't fixed the bug, a hacker could capture your password from the unprotected site and use it to login to your SPN account).
Does Social Psychology Network store credit card information?
No, we've never stored this information and have no plans to store it in the future.
What can I do to address the problem?
The two most important things are to:
(1) Avoid logging in to any secure site unless you know that the site is not at risk. To check whether a site is safe, one service you might try is Heartbleed test. If you change passwords on a site that still has the bug, you could be giving hackers your password.
(2) Change your password on all websites that have fixed the bug, including college and university websites, making sure to use a unique password for each site.
Do you have advice on how to set passwords?
Yes—glad you asked! One tip is to develop a common system for all passwords, such as (1) choosing a medium-length password "root" that mixes numbers and letters, and (2) adding an extension to the root using the first three letters of the service (e.g., "Gma" for Gmail and "Dro" for Dropbox). Then, when it comes time to change your password, you might alter the extension to use letters next in the alphabet (e.g., "Hnb" and "Esp," respectively).
An even easier approach is to use software apps, such as 1Password or LastPass, that allow you to generate strong passwords, embed the app directly in Chrome or Firefox, and even synchronize passwords across multiple devices such as desktop computers, laptops, tablets, and smartphones.
Where can I read more about this issue?
Here are a few good places to read more about the Heartbleed bug and suggested remedies: