To Change Passwords Or Not In The Wake Of Heartbleed
Earlier this month, news broke of the Heartbleed bug that compromised the expected security of websites using OpenSSL. The bug would allow for attackers to steal unencrypted log-in credentials from web servers through a vulnerability, or more specifically, what’s called a “bounds check” was missing. Buried in those initial news reports was the warning to change passwords as soon as possible, but only after websites patched the vulnerability. At Dark Reading, Dave Kearns explains the best practices to stay safe in the wake of Heartbleed and why it’s not always wise to change passwords.
In the context of Heartbleed, the knee-jerk reaction was for users to change passwords as soon as possible because their old passwords could be stolen off a server at any time. It was quickly pointed out, however, that most websites hadn’t patched the vulnerability yet, which means a user changing their password wouldn’t protect their account. It would just hand that new password to any attacker who decided to steal it.
In this case, changing passwords wasn’t the best idea. In fact, users who didn’t change passwords and stayed away from a site completely were probably better off than those that proactively logged in and changed their account. The Heartbleed bug makes users vulnerable when they enter their account information. So, logging in and changing your password would potentially be giving that information to an attacker. But, leaving your account dormant would keep you safe.
Going forward, there are tools available to add on to your web browser that will tell you whether or not a website has been patched to eliminate their vulnerability to Heartbleed. If it has, you’re free to log-in and change your password. This protects you in case your old password was compromised at some point.
If the site hasn’t been patched, leave immediately. That site isn’t safe for use until the vulnerability is fixed.
The best way to protect yourself from catastrophic damage in the wake of an attack of online accounts is to always use unique passwords for each account you hold. That way, if one, insecure account is compromised, your other accounts are safe. For users that use the same password for multiple accounts, the theft of one from an insecure site like a message board could lead to important accounts like social media, email or banking sites being hacked as well.
At Geek Rescue, we have tools to protect you from attacks and to help you recover. Call us at 918-369-4335.May 1st, 2014