Tech Tips: How To Protect Yourself After Heartbleed

While Duke's central information systems were not affected by the notorious Heartbleed bug, Duke security experts are recommending that faculty, staff and students take steps to make sure they're protected on non-Duke websites.The university's IT Security Office offers the following tips:If you use your Duke NetID password on any other sites, change your NetID password as soon as possible. Your Duke NetID password should be unique and should not be used for other accounts. Using the same password across multiple sites increases the chances of the password being exposed via a security problem at a site Duke has no control over.  Sign up for LastPass, a premium password management service available free to Duke users. Once installed in a browser, LastPass saves all your passwords to an easy-to-use "vault." The service facilitates logging into sites by prompting you to save logins and filling them in for you, and it helps generate long, strong passwords for new accounts. Duke users can download LastPass for free from the Office of Information Technology website; visit http://oit.duke.edu/software and browse for LastPass. LastPass has been endorsed by Duke's security offices as a secure way to store and protect passwords.  Check regularly to make sure you update passwords on non-Duke sites as companies continue to issue patches in response to Heartbleed. LastPass offers a special security check to alert users when their passwords need to be changed on specific websites. (Click on the LastPass icon and go to Tools > Security Check.) LastPass also has set up a Heartbleed Checker site, which allows you to enter the URL of any website to check its vulnerability to the bug and whether the site has issued a patch. Sites such as CNET and Mashable are also maintaining lists of sites.Register for and use multi-factor authentication. Also known as two-step verification, multi-factor authentication requires a user to log in using both a password and a randomly generated code. The codes can be generated by a special device or token or can be sent via a text message or a smartphone application. Find out more: https://oit.duke.edu/net-security/security/multi-factor-authentication.php.Finally, remember that Duke will never request your NetID password or other authentication information by email or phone. If you do receive a suspicious email or other message requesting confidential information, immediately contact your local network administrator and OIT at https://oit.duke.edu/help/. For more information about phishing scams, visit the Duke IT Security Office website.