Spectre, Meltdown, and Protecting Your Passwords

Another day, another vulnerability. That’s what it seems like these days when software flaws and hacking incidents land in the news. From data breaches to design flaws, it seems that our personal information is always on the verge of being exposed. The latest flaws, Spectre and Meltdown, appear to affect just about every device out there.

Protecting passwords from Spectre and Meltdown

Chip Hacks

Spectre and Meltdown belong to a category of vulnerabilities called “chip hacks.” These affect the processors of computers, phones, and tablets. Both hacks rely on the manipulation of processor operations in order to retrieve sensitive data. Spectre exploits a design flaw by tricking programs to perform unnecessary actions, potentially exposing confidential data. Meanwhile, Meltdown grabs information from the processor that ordinarily would not be accessible.

Please note that both of these hacks would require an actual malicious attempt by a hacker. Without the manipulation of the processor’s operations, private information, such as passwords, is relatively safe. However, if we’ve learned anything about security flaws, it’s that someone, somewhere, will make an attempt before a patch can be applied. The potential for your passwords to be exposed, particularly while you use cloud services, is very real.

Your Passwords

Part of the sense of urgency in this scenario is the use of passwords. We all use passwords for a variety of online activities, from email to shopping to accessing our Netflix account. Someone seeking to exploit the Spectre and/or Meltdown chip hack will be looking to capture password information.

The average tech user, according to surveys, has approximately 27 passwords in use. If you use tech in your job (and many of us do), that number pushes closer to 200.

Most of us opt for the path of least resistance when it comes to creating passwords, and it’s not hard to guess why. The human brain can recite a string of numbers seven digits long, which is why phone numbers are typically easy to remember. However, something more than the first few digits of Pi can be hard to recall. Now, add in some random letters (upper and lower case) and a few symbols, and you can see why most people use certain methods to recall passwords. It’s simply more than we can remember.

Password Managers

This is a great place to remind you that a password manager can make your life considerably easier, at least when it comes to creating strong passwords. We’ve talked about password managers in this space before, and our advice on this topic hasn’t changed.

A password manager can help you to assess and create strong passwords, categorize various types of online accounts, and nudge you to change weak passwords. All you have to remember is your master password, which is your key to your own personal vault.

They key thing you need to know about password managers in the wake of the Spectre/Meltdown vulnerability is that they typically use a zero-knowledge security model. They do not have access to the master password and all passwords stored in a user’s vault are encrypted.

To add an extra layer of security to your password protection, read on.

Two-Factor Authentication

Perhaps the best option for protecting your data is Two-Factor Authentication (2FA). Arguably, you could use 2FA only for crucial accounts, like banking and email, but it can be an effective layer of protection for all of your online accounts.

2FA relies on two separate security layers in order to access an account. The first is typically something you know – your password – followed by something you have, such as your cell phone. Logging in with a password triggers an authentication code delivered to your phone, which you must input in order to gain entry to the account.

This extra step helps to assure that the account owner (you) is the one accessing the account. A stolen password is no good to a hacker who doesn’t have a secondary authentication code.

Want to know where to enable 2FA? Check this resource to see which websites support it.

Protecting Your Personal Information From Vulnerabilities

In the wake of Spectre and Meltdown, what steps should you take to improve your security?

1. Apply system updates and patches as they become available.

It’s likely you’ve heard of Microsoft’s Patch Tuesday, which typically happens on the second Tuesday of each month. Patches, security updates, and other fixes are a part of each event, and for most computers, this happens automatically, behind the scenes. Sometimes, developers release patches outside of this schedule, particularly for critical updates. There may be several patches related to Spectre and Meltdown released in the interim. If you have automatic updating turned off on your machine, you’ll want to trigger updates manually.

2. Keep your apps and software updated.

In addition to system updates, you’ll want to be sure you keep apps and software updated, as well. Many times developers release updates to their products in order to assure compatibility and improve security.

3. Assess and update passwords.

Even if you’re using 2FA to access your online accounts, unique, complex passwords are important. Password managers are terrific for generating strong passwords. They can also examine the passwords you have stored in them and tell you which ones are weak.

It’s estimated that at least three billion computers have processors with the Spectre security flaw. Updates and patches for these issues have been issued with limited success, and it may take some time before an effective fix becomes available. In the meantime – update systems, apps, software, and passwords as warranted. Protecting your login information is always a good idea.

If you’d like to talk about how vulnerable your system is or for advice on password managers, give us a call (812) 434-6600