The Heartbleed Bug - should you change your password?

Posted on 15 April 2014

These days, one of the hottest news is about the Heartbleed bug. This bug refers to a serious vulnerability in the commonly-used OpenSSL library. This library is used in many applications to encrypt the data and to provide safe communication over the Internet. Now, when it was discovered, all researchers are agreed that this bug is the most significant vulnerability to ever hit the Internet.

OpenSSL is used to protect e-mail servers, chat servers, virtual private networks, and wide variety of programs. The this about this bug is that all users who have upgraded their services and applications to the latest SSL/TLS version are affected most. OpenSSL is commonly used in client software and network applications which have to be updated more recently.

It is important to be mentioned, that the latest OpenSSL versions – 1.0.1 through 1.0.1f, are vulnerable. All other versions 1.0.1g and earlier, 1.0.0 and 0.9.8 are NOT vulnerable. The point is that the Heartbleed bug allows anyone on the Internet, of course, having the proper skills, to read the memory of the systems, that are protected by the latest OpenSSL versions. This means that hackers could eavesdrop on almost everything you have done in the last two years.

Here comes the question: what you should do in order to protect yourself? Do you have to change all your passwords or not? Do you have to wait for something or do a certain thing? Well, yes and no. Before you begin changing your passwords and waste your time, there are three things you need to consider. First of all, was the website you have used a password affected by the Heartbleed bug in the first place? Second of all, if it was affected, has that website installed a newer version of OpenSSL to fix that bug. And third of all – has that website updated its security, a.k.a. Encryption, certificates?

If a website did not use one of the vulnerable OpenSSL versions, you DO NOT need to change your password. However, if you have used the same password to log in to other websites that are affected by the bug, you should change that password. By the way, you should always use various passwords for every website and every account you create.

The second scenario is if the website was vulnerable to the Heartbleed bug. In this case, you have to check if that website have already fixed the bug and have installed new security certificates. If the answer is Yes, then you can go ahead and change your password, because the new one will not be exposed to the hacker attacks. If the answer is No, then you must wait, because if you change your password before that bug is fixed, your information could still be attacked and stolen.

So far, Microsoft, AOL and LinkedIn have said that they did not use the aforementioned OpenSSL versions. This means that you do not have to do anything with your account passwords with these services. Others, like Yahoo, Google, Facebook and Dropbox were vulnerable to the bug. As of today, it is safe to visit them and change your passwords for these websites, because they have updated their OpenSSL libraries.

In case you are not sure what to do, we advise you to visit the website's blog and search for news about that bug. If their security protocols were updated then you can go ahead and change your password. If not, you have to wait until you find an announcement that it is now safe to do so.

Mashable has released a list of websites that have published their Heartbleed bug status. Indeed, you can take that information and confirm it using another independent source. As a starting point, you can use Github to find a list of websites and whether they were vulnerable to the latest security bug.

In conclusion, we have to tell you once again that it is imperative to use a different password for every website and registration that you create. Thus, you will be less vulnerable to attacks and your information can be better protected. Moreover, it is a good idea to change your passwords on a weekly or monthly basis. After all, it is all about you and your privacy.



You May Also Like