0

One thing that's been bugging me in relation to the discovery of the Heartbleed OpenSSL flaw is the recommendation that everyone should run to their computers in a panic and change all of their passwords right now. Considering that there probably still are sites out there that haven't yet upgraded their OpenSSL version to fix the issue, won't changing all your passwords just leave you vulnerable to having your new passwords stolen? This could be especially troublesome as people tend to reuse the same passwords across multiple sites.

In summary, my question is - how can users adequately protect themselves at this point in time?

THE DOCTOR
  • 123
  • 4
  • 2
    You're correct: "Change all passwords *immediately*" is the wrong thing to do (thanks a lot, mass media). The right thing to do is to change passwords *after* the systems you use have been patched. In many cases, those systems will prompt or force users to do so on their next login. – scuzzy-delta Apr 10 '14 at 15:07
  • 1
    @scuzzy-delta: But _why_ not change your password immediately _if_ your password might have been compromised? (Even if you have to change it again after the server has been patched.) Is it because, if the server has been compromised (and the primary key is known) then changing your password will simply reveal your password to the attacker? But in this case simply logging in will reveal your password? – MrWhite Apr 11 '14 at 09:55
  • I agree with @w3d. If your password is not unique, you must assume it is compromised through one of the servers you use it on, so all your accounts are possibly now vulnerable. Therefore changing all your non-unique passwords to unique passwords right now is potentially the safest thing to do, then change them again later when you are asked to by the system owner. I [posted an faq here, with diagram](http://passwordpanic.com/faq/) to illustrate this. – Andy Brown Apr 14 '14 at 14:44

1 Answers1

2

I guess the only thing users can do is:

  1. Use a different, strong, randomized password for each account (aiming for ~128 bits of password entropy is a good strategy, as explained in this answer);
  2. Change the password when a website implements the OpenSSL security patch.

Using a password manager makes sense. I find KeePass Password Safe pretty good.

Community
  • 1
Steven Volckaert
  • 1,193
  • 8
  • 15
  • Yes, and #2 is especially important. I wonder if each of these websites will be responsible enough to notify their users if and when they have implemented the patch. A password manager is also a good idea. – THE DOCTOR Apr 10 '14 at 15:08
  • I totally agree with you. The key thing is #1, right now. It is a little more complex than this, but the safest thing to do is to isolate each account, or create groups of isolated accounts through unique passwords, as [I have illustrated here](http://passwordpanic.com/). There is one additional concern: this bug allows anything in the vulnerable buffer to be stolen so if logging in to a site pulls all your private info into the buffer, you could be putting more than your password at risk. – Andy Brown Apr 14 '14 at 14:47