Wednesday, April 9, 2014

Heartbleed: Should I change my password? (And when?)

Yesterday, news of the Heartbleed OpenSSL bug swept the Internet, and lots of web site administrators worked to update software and replace potentially compromised cryptographic keys. Estimates are this vulnerability affected over half a million websites and major sites such as Yahoo Mail were vulnerable.

Today people are starting to wonder what this bug means to them, specifically should they change their passwords? It’s possible as the news spread yesterday, websites could have been compromised before they were fixed. There is also the theory that someone could have exploited this bug secretly for two years.

It’s easy to say “Yes!” and this is always a good safe default, but if you’re like me you have 100s of passwords and changing them all is a major task. This post is meant to give you some guidance as to which passwords to change and which to change first.

First, figure out your most important passwords and start with those. Think about websites (good news for SSH users: SSH isn’t affected by Heartbleed, just OpenSSL) that would cause you real worry if the password was compromised. If you’re like me, it’s online banking and other important websites such as my university login and key projects I’m a part of.

Then, figure out if those websites you use were affected. This list of the top 1000 sites is a good place to start as well as this list from If you don't see a website listed in those places, look to their blog or other sources of support information. Failing that, it’s probably easiest just to assume they are compromised since it would take take more effort to figure out than change your password.

Then, and waiting may be hard, but there isn’t any point in changing your password until a website has fixed their software and changed their cryptographic keys. You can wait to hear from a website or you can test the website yourself. Once they’ve fixed their software and replaced their cryptographic keys, then it makes sense for you to change your password.

And while you’re going around changing all these passwords, take the opportunity to use a password manager and a different password for each site. Using a different password for each site is the most important thing you can do improve your security and obviously you can’t remember that many passwords, so using a password manager is the best way to do that.

Yes, this is no fun for anyone. Unfortunately security on the Internet is a shared responsibility and while websites do their best to minimize impact on us, sometimes things just don’t work out.

(Edited 4/10 to add link to list.)