Heartbleed: don’t change all of your passwords

Barry Collins April 10, 2014

Security experts are warning users to ignore advice to change all of their internet passwords in the wake of the Heartbleed compromise.

Heartbleed: don't change all of your passwords

Heartbleed, which came to light on Tuesday, is a serious flaw in the OpenSSL technology that has potentially exposed many of the world’s biggest web services to hackers.

Several leading web companies – including Yahoo, Google and Dropbox – have been forced to take action to patch their services, and many more are still scrambling to address the issue.

Changing passwords ‘now’ while the vuln is probably under widespread exploitation isn’t a good suggestion

Some news sites have urged users to change all of their internet passwords to counteract the risk that hackers have previously exploited the flaw to steal login information.

However, security experts are warning that such a blanket approach could be counterproductive, warning that changing passwords on sites that are yet to be patched could simply hand hackers both the old password and the new.

“Changing passwords ‘now’ while the vuln is probably under widespread exploitation isn’t a good suggestion,” tweeted Rik Ferguson, vice president of security research at Trend Micro, in response to calls from a rival security firm for users to change all of their passwords.

“Changing now increases your risk of exposure in the short term as the vuln is now public.”

“I would advise [avoiding] vulnerable sites too, but changing pw ‘now’ will not reduce risk, only increase workload,” he added.

Password manager, LastPass, has updated its Security Check tool, which now advises users whether they should change a password they have stored in their LastPass vault, or wait for the service to be patched before resetting their password. LastPass users can find the tool by opening the LastPass browser extension and clicking Tools | Security Check.

The Mashable website has surveyed many of the leading web services and published details of whether users should change their passwords on those sites. However, two days after the flaw came to light, the status of many leading websites is still uncertain.

Send Email

Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.

You may also like
buy_the_best_vpn_for_anywher_in_the_world
Here’s How to Buy the Best VPN for Your Online Safety

Stuart Andrews March 15, 2023

How to Find out Who an Unknown Caller Is
How To Find out Who an Unknown Caller Is

William Stanton March 15, 2023

Life360 – Is it Bad or Worth the Cost?

Lee Stanton March 13, 2023

Send To Someone

Missing Device

    Todays Highlights
    How to Change the Location on a FireStick

    Lee Stanton November 24, 2022

    How to See Google Search History
    How to View Your Google Search History

    Steve Larner March 7, 2023

    How to Change Your User Name in Zoom

    Lee Stanton August 23, 2022

    How to Use Inspect Element

    Lee Stanton August 16, 2022

    how to download photos from google photos
    How to Download Photos from Google Photos

    Cassandra December 3, 2022

    How to Change Your Username on Fortnite

    Lee Stanton February 20, 2023