With the recent disclosure of the Heartbleed exploit, account security is undergoing increased media scrutiny and many of my less technical friends have asked me questions about how to proceed. Although it is likely unnecessary to change every single account password, now is as good a time as any to do a security audit of yourself and your application accounts. Here is a small audit that is fairly easy to do (and indeed, I did so earlier today):

Collect a List of your Online Accounts

The first step is intuitive enough: to secure yourself, you need to know where your openings are. If you use a password manager such as LastPass, Roboform, or 1Password, this should be extremely straightforward and you can move on to the next step. They can also be built into your browser (Chrome has a fairly commonly used one.)

If you do not, I recommend using one to all but the most paranoid of users, as they simplify keeping track of your accounts and passwords, and can be synced between your devices. Otherwise, make a list manually by going through your commonly used websites and look at popular websites (popular websites are at once more likely to be secure and more likely to be targeted for an attack.) Also, search your inbox for account registration or password reset emails. (Search “account”, “ username”, “password”.) Once you have a list, you can move on.

Try to Delete Unused Accounts

I sign up for many websites on a whim and never use them again. Are there any sites like this for you as well? Or do you never really use that Instagram anyways? No opening is better than a secure one, so you should probably just close these accounts down.

Look through your list and find any accounts you could really do without, and update your accounts with dummy information and new passwords. Even if your account is successfully deleted, it’s hard to ensure that a website will truly honour your privacy or your request. After this, it’s time to delete the account, which can be extremely difficult to do.

First, you can check JustDelete.Me if the website is listed, and follow their instructions for removing your account. Otherwise, start by looking at your account settings or their help sections– they may have information on deleting your account, or if you’re lucky, a button to do so. Then, if you’re out of luck, send an email to customer support asking them to delete your account (include any pertinent information, like your username.) If they tell you it is impossible, make sure you have removed your personal information and changed the password as previously instructed, and hope that this will suffice.

Change These Passwords

For the remaining accounts, go through and change the passwords for them as necessary. Here is my order of priority of whether you should change your password or not:

  1. Exploit Affected Websites (such as by Heartbleed) Immediate change
  2. Duplicate Passwords
  3. Bad Passwords
  4. Really Old Passwords (2+ Years)
  5. Old Passwords (1+ Year)
  6. Kinda Old Passwords (4+ Months)
  7. Recent Passwords (< 4 Months, lower priority)

Anything at levels 4 or higher should really be changed now. Bad Passwords include most passwords that are dictionary words, and do not include very many numbers or symbols. (You can look up “password entropy” for thoughts on this and advice on creating new passwords.)

For the typical end user, I just recommend using a password manager to generate and keep track of new passwords. Otherwise, there have been very many articles on password generation, including this famous XKCD comic. For my money, I believe that any wildly popular advice on passwords is likely to be insecure, so you should really make up your own rules involving numbers and symbols. For instance, maybe you made up a secret language in Grade 6 that you remember to this day– make use of that. Use camel case pig Latin. Intersperse symbols and numbers throughout all of these.

Conclusions

After you are done changing your passwords, make sure that you don’t write them down or leave access to them where a person can find them, and if you need to share access to an account with someone, change the password first. Remember, the easiest way to gain access to somebody’s account is through social engineering.

Finally, it is likely a good idea to also ensure that all your apps and programs are up-to-date, and to do an audit of what apps have access to your Facebook and Twitter accounts. A virus scan probably also won’t hurt either. However, simply changing your passwords as listed above is a good first step for people who are confused and pressed on time.