A lot of folks are going around at the moment telling the public to change all of their passwords in response to the serious Heartbleed internet security bug.
For instance, here’s what the Tumblr website (owned by Yahoo) has told its users:
The emphasis on one particular paragraph was added by me. And it’s this section which I have a concern about:
This might be a good day to call in sick and take some time to change your passwords everywhere – especially your high-security services like email, file storage, and banking, which may have been compromised by this bug.
That’s awful advice.
You should only change your password in response to the Heartbleed bug after a website or internet company has:
- Checked to see if it is vulnerable
- Patched its systems
- Grabbed a new SSL certificate (having revoked their previous one)
- Told you it is fixed
Ideally they would initiate a mandatory change of passwords at that point. (By the way, when you do change your password, remember to also enable two factor authentication if the website or service offers it – as it will increase your overall level of security in the long run).
The danger is that if you change your passwords *before* a website has been fixed, you might actually be exposing your credentials to *greater* risk of being snarfled up by people exploiting the vulnerability in the buggy versions of OpenSSL.
Don’t forget – there are an awful lot more people now testing to see how well the vulnerability can be exploited now that details are public.
Sadly, mainstream media are proving to be a little guilty of parroting the advice of the likes of Tumblr.
Check out this BBC News article, for instance, entitled “Heartbleed Bug: Tech firms urge password reset”.
Again, I added the emphasis to the news story.
You have to scroll way down the article before you realise that actually you *shouldn’t* change all your passwords, but instead wait until a website has fixed the flaw.
And, if a website you use hasn’t made clear if they have fixed the problem (or indeed if they were ever vulnerable) then the best thing you can do is badger them into telling you.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.