Heartbleed: don’t change all of your passwords
Security experts are warning users to ignore advice to change all of their internet passwords in the wake of the Heartbleed compromise.
Heartbleed, which came to light on Tuesday, is a serious flaw in the OpenSSL technology that has potentially exposed many of the world’s biggest web services to hackers.
Several leading web companies – including Yahoo, Google and Dropbox – have been forced to take action to patch their services, and many more are still scrambling to address the issue.
Changing passwords ‘now’ while the vuln is probably under widespread exploitation isn’t a good suggestion
Some news sites have urged users to change all of their internet passwords to counteract the risk that hackers have previously exploited the flaw to steal login information.
However, security experts are warning that such a blanket approach could be counterproductive, warning that changing passwords on sites that are yet to be patched could simply hand hackers both the old password and the new.
“Changing passwords ‘now’ while the vuln is probably under widespread exploitation isn’t a good suggestion,” tweeted Rik Ferguson, vice president of security research at Trend Micro, in response to calls from a rival security firm for users to change all of their passwords.
“Changing now increases your risk of exposure in the short term as the vuln is now public.”
“I would advise [avoiding] vulnerable sites too, but changing pw ‘now’ will not reduce risk, only increase workload,” he added.
Password manager, LastPass, has updated its Security Check tool, which now advises users whether they should change a password they have stored in their LastPass vault, or wait for the service to be patched before resetting their password. LastPass users can find the tool by opening the LastPass browser extension and clicking Tools | Security Check.
The Mashable website has surveyed many of the leading web services and published details of whether users should change their passwords on those sites. However, two days after the flaw came to light, the status of many leading websites is still uncertain.
Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.