Why Heartbleed Shouldn’t Make You Rush To Change Passwords … Yet

heartbleed

The discovery of the Heartbleed security bug sent the web into a panic with it’s devastating OpenSSL vulnerability.

On a scale of 1 to 10 of Internet catastrophes this one goes all the way to 11, according to respected security analyst Bruce Schneier, who isn’t prone to manic exaggeration.

A shriek of “CHANGE YOUR PASSWORDS”  has erupted from the throats of sites issuing evasive maneuvers, but you might want to hold off on going password-reset-crazy for just a few days.

Here’s why:

As explained by the creators of 1Password – which isn’t affected by Heartbleed –  many servers haven’t patched up their vulnerability, and probably won’t  for a few days, which means that new password you’re creating can still be stolen and used in the future.

“You will, at some point, need to change a lot of passwords. But don’t rush to do that just yet. Not every server is affected, and those that are need to fix things at their end before you change your password. If you change your password before the servers fix things, then your new password will also be vulnerable to capture.

All that most of us can do is wait at this point. Presumably, various service providers will announce over the next few days when and whether users should change passwords or be aware that other confidential information may have been exposed.”

So what’s taking the providers so long to fix things up?

First they have to find out if they’re vulnerable which requires them to see if their particular SSL/TLS service was on OPENSSL 1.0.1 – 1.0.1f.  After they’ve upgraded to the fixed version of OpenSSL (1.0.1g) they’ll have to revoke old certificates and sort things out with certificate authorities to obtain a new one.

Certificate Authorities are going to be very, very busy the next few days.

  • dcj001

    Buster Hein – You misspelled your name at the end of the title of this article.

    • tornacious

      I always thought his name was a play on words, as in: “Bust Her Hiney”. Forgive me if I am wrong, or don’t.

  • monstermasten

    I’ve changed twitter, facebook and gmail. I used to have the same password everywhere, but these are the three accounts I don’t want hacked into.

About the author

Buster HeinBuster Hein is Cult of Mac's Senior News Editor and lives in Phoenix, Arizona. Twitter: @bst3r.

(sorry, you need Javascript to see this e-mail address)| Read more posts by .

Posted in News, Top stories | Tagged: , |