In the light of the Heartbleed security discovery, thousands of people will be following advice to change their passwords on their favourite sites. However, while this may seem like a simple exercise, even some of the big names in social media and ecommerce make this standard user journey overly complicated.
What we found overall was that sites made it difficult to understand how to get into account details, often as a result of using ambiguous icons. Sites also did not prioritise the password details from within account settings, and as a result it was difficult to find where to change the password amongst various other account options.
If you're going to use words or phrases in your password, misspelling them is a great way to make them more difficult to guess. You can do this by adding symbols and numbers in place of letters. For example, if you want to use the phrase "I love soccer" in your password, you should change it to something like "1LuvSoCC3r!1" to make it more secure.
Before you dive into immediately changing your passwords, be aware that the vulnerability is only patched if the company has upgraded to the new version of OpenSSL. The story broke on Monday, and if you rushed out to immediately change your passwords on every site, most of them would still have been running the vulnerable version of OpenSSL.
After Heartbleed I changed my Facebook password but now my iPad does not recognise it and I cannot connect to Facebook from some of my apps (I can login to Facebook) but they all work on my iPhone. I tried a rest on my iPad but it is still the same. When I go to my Facebook settings it constantly asks for my password and when I enter it I get a message saying it is wrong? I'm at a loss as I have no problems on my iPhone. HELP!
I tried all those several times with no joy and in a fit of complete and utter frustration I did a factory reset. I have to say this is totally unacceptable it means if I want to change my password in future I need to first delete my account from my iPad and create it again after password has been changed. Not good enough Apple you need to deal with this yesterday! Your products are expensive and should have better support than this.....the problem has been around for months it seems so no excuse!
All that most of us can do is wait at this point. Presumably, various service providers will announce over the next few days when and whether users should change passwords or be aware that other confidential information may have been exposed.
Only after a new, certified certificate is in place on a server that is not using a broken SSL/TLS library will it make sense for you to update your password for that service (or even trust your communication with it). Most of us simply have to wait until notified by various websites and services when and whether we should change passwords.
Once you have your new certificate signed and in place, you should inform users that their sessions may have been compromised prior to the installation of the new certificate. They should then change their passwords and take whatever other action is appropriate given that confidential data may have been exposed.
There was consensus in the internet security community that the safest user response after announcement of the problem was to first check whether a particular website was employing repaired versions of OpenSSL. Several testing sites were created so that people could stick in a Web address to see if a site still used the problem software. Experts also suggested that people change their passwords or even cancel accounts if they felt the accounts were vulnerable.
Again, those with higher levels of education were the most likely to have taken such steps: 48% of the internet users with college educations changed their password or deleted an account, compared with 31% of the internet users with high school educations or less and 40% of those who attended at least some college.
And 46% of the internet users in households earning $75,000 or more had changed their passwords or deleted an account, compared with 33% of the online Americans living in households earning less than $30,000.
But before you change your passwords, you need to check if the website has patched their site. You can test whether a site has been patched by typing the URL here. (Look for the green highlighted " Now Safe" result.)
Pinterest has joined other websites in updating users regarding potential Heartbleed bug security issues in an email sent to users today. They report no suspicious activity has been detected and the problem has been patched, however they urge users to change their passwords as an added step in security.
It is unclear at this point who may have accessed any information through this vulnerability, but websites have been checking their systems for the bug and patching to repair the problem. While it is a good practice to change your passwords regularly, unless a website has patched their vulnerability, changing your password will not protect your information.
I recommend that individuals change passwords according to their own individual risks. Change retirement account passwords first, banking & credit passwords second, social network & email passwords third, work passwords fourth, then passwords with stored credit cards or the ability to charge (e.g., Amazon) and finally any kind of commenting or other password. Invest in creating the password in terms of how much it would cost or concern you if it were lost. If your Magic The Gathering or OKCupid accounts are what really matters to you, spend some time thinking about a good but memorable password.
First, I totally agree with your advice to all users to change passwords, and I yet I also agree with Tom below that priorities based on importance should be held. As a clinically paranoid security minded yet empathic person; that would be my advice to users to change all passwords to anything they find important.
Researchers believe that up to two-thirds of websites could be affected. Google, Facebook, and Yahoo! recently confirmed that they had been affected and said they were applying fixes to their systems, The New York Times reports. Administrators to websites are upgrading their software and applying added protections from Heartbleed. Still, security experts are advising consumers to change their passwords at any site that holds their sensitive data.
End-users should not update their password until they know the flaw has been fixed by the website,ˮ says Romes. If the vendor has not fixed the breach but you already changed your password, you will need to change it again after they fix it.ˮ
Internet users around the world are scrambling to change their passwords due to one of the most serious cybersecurity threats in history. The Heartbleed Bug is a coding flaw in an encryption technology (OpenSSL) used on 66% of web servers. Large companies and businesses, including Google, Facebook, and many financial institutions, rely on this technology for communication security. Any hacker who discovered the flaw over the past two years may have been able to access private data without leaving a trace. Many large companies were able to fix the flaw before the announcement went public. Users are encouraged to change their passwords as a precautionary measure. Many governments temporarily shut down their websites as a precaution as well.
The "heartbleed" bug may have put millions of passwords, credit card details and sensitive information in the hands of nefarious hackers. Before you change your passwords, security experts suggest making sure the website is now secure, and provide tips for creating stronger passwords.
Glenn says there are websites to check whether or not a website has been patched, and suggested filippo.io/heartbleed or ssllabs.com/ssltest. Password management software maker LastPass also has a service that checks if a website is vulnerable. LastPass recommends users of websites like Yahoo, GitHub and Fitbit update their passwords right away. But if you have a Netflix, Airbnb or Quora account, wait to update.
Ferguson says you should change your password once you've been notified or discover that a server has had a security update. He suggested avoiding these big mistakes when creating a new password: using words from the dictionary, names, dates of birth, ages, telephone numbers, pet's names, football teams or anything related to you.
Question is, should we change our passwords? I use Sticky Password manager (www.stickypassword.com) and they told me to change passwords for sensitive accounts just for sure. Do you think it is necessary as well?
What I do not understand about heartbleed is: How can such an error be introduced in 2012? There was no new functionality, or was it? If so, why did someone change the code at all? Did they try to fix other bugs and on the flight introduced heartbleed? Or was this a complete rewrite for the sake of efficiency? Why then was it still written in C? Why is nobody publishing the comments on the commit of the first buggy version?
That is, perhaps NOBODY is getting any critical information from the 64K memory blocks, but somebody is poised to collect information on all of the new password change requests. Spy agencies would be the best guess here.
Bruce, could you explain how Perfect Forward Secrecy and this bug relate to each others exactly, regarding past and future communications and the need to change passwords? And thanks so much for helping the rest of us with these tricky yet vital things! 2b1af7f3a8