How Heartbleed threatens Tumblr-accounts
Swedishindie.se is one of the first victims of Heartbleed. It has revealed how human errors and lack of security aware UX design threatens all the data we care about.
Heartbleed shows that users should change how they handle their passwords. And if a critical mass of users start to use password managers, UX designers should take that into consideration when they design opt-in and opt-out pages.
You might have heard about Heartbleed. Due to recent security breaches on the Internet, I have changed the way I manage my passwords. There have been many breaches lately. Hackers have obtained Adobe Systems’ 38 million users’ data and encrypted passwords. Evernote did a service-wide password reset for 50 million users. LinkedIn and Dropbox both did the same.
The Internet is not a safe place for unmanaged passwords. I changed my passwords because I had to assume that they were obsolete, likely existing somewhere in plain text. I decided to use a user-friendly password managing software.
I chose Dashlane (Disclaimer: This is a referral code that gives you 6 months of free premium access). The service feels less bloated and more stylish than LastPass. But, Lastpass limits unexpected actions, it gives the user the ability to customize the settings.
To my defense, confirmation messages (”Are you sure?”), and captchas do exist to prevent dumb mistakes.
Dashlane deleted all the design and work for Swedishindie.se, a meeting place for fans and creators since 2011 — disappeared in 2 seconds. In detail, I administered the Tumblr account and intended to delete a redundant blog linked to the account. I clicked on “Delete account” by mistake. If I have deactivated the auto-login feature in Dashlane, this would not be an issue. I should of course been more careful. To my defense, confirmation messages (”Are you sure?”), and captchas do exist to prevent dumb mistakes. Tumblr did not even email me a confirmation link. The main issue is that non-reflective password management software will cause more errors like this.
Heartbleed has revealed a critical fact: that services and protocols on the Internet are still young and not always safe. I am convinced that we cannot rely on the arbitrary password management our brains provide. This is why password management software is necessary. They save time by remembering our passwords. They also distribute the risk of security vulnerabilities. If you generate unique passwords for every service in Dashlane, no passwords will be identical. Of course, there is a risk of hackers discovering the master password for your Dashlane account. This is a good reason to activate the Two-Factor Authentication feature.
I want to share some final thoughts on a future UX aspect of the proprietary software of Tumblr. If we use young security software, it is important that we can back up data and re-import it when necessary. Tumblr does not offer this feature, perhaps intending to limit its users to switch to competitors. This affects the users’ ability to back up data and their right to keep memories. Tumblr should also email a final confirmation link, which would make it harder for a user, Dashlane and a hacker to delete Tumblr-accounts by mistake. I love what David Karp and his team have done with their product and for the vibrant Tumblr community. I hope that they and Yahoo (ping Marissa Mayer) consider this case and take action.
I will restart the Swedish indie project on Tumblr and hope that all lost followers will enjoy the journey once again.
