OpenSSL Heartbleed bug demands password changes

SecurityIconXIf you have not heard of the the recent “Heartbleed” bug, this Web snafu is an oversight in the encryption layer commonly used by many Web sites for security, which allows attackers to exploit security keys and gain access to sensitive data.

The flaw exists in OpenSSL, where in an encrypted connection one computer will send out a heartbeat packet that requests a response from the other, to inform each that the connection is still alive. Unfortunately, a flaw allows a well-disguised fake heartbeat to be sent from a hacker’s system, and in return sensitive data in memory being protected by the encryption may be sent back. This can include passwords and usernames for establishing the connection.

Unfortunately, the use of OpenSSL and HTTPS in Web site communication is so prevalent, that this bug means most sites that are secured with a password may have been compromised.

If you are wondering what you can do about this bug, unfortunately for the time being, you cannot do anything. This issue is a server-side bug that needs to be fixed by the Web sites and hosts you connect to. However, once fixed, you should consider changing your passwords to them.

Since the bug has been out for over two years, it suggests ample opportunity for passwords to be compromised. Therefore, once the services you use have been patched by their administrators, then you will likely need to change your password to be certain your account is safe.

Unfortunately, you will need to do this after you have confirmation that the servers you use have been patched. If you change your passwords immediately, then the server could still have the bug.

Given the widespread nature of this bug, most servers and services that use OpenSSL are undergoing patching as we speak, so you should soon get information from their administrators for when is best to change your password.

Luckily, if you are wondering if the servers you connect to are still vulnerable, you can use this checker tool to enter their URLs and have the results displayed for you.

2 thoughts on “OpenSSL Heartbleed bug demands password changes

  1. B. 9776Jefferson Le Blanc

    Thanks for the info. All but one of the sites that I do business with online checked out OK. One returned a broken pipe error, which, according to the testing site, could actually be a sign of active security measures like a firewall. Still, I guess I’ll have to start changing my passwords – bother.

  2. msadesign

    Thanks, T., as usual. But every one of my sites checked out OK. Don’t know how this could be the case as the issue is reported as being widespread. Changing passwords anyway.