No seriously, change your passwords -- and be glad you still can

By Nathaniel Mott , written on April 9, 2014

From The News Desk

In case the Heartbleed bug's name hasn't already convinced you of the seriousness of this security vulnerability, allow me to make this clear: you should change the password you use for every website you've visited in the last two years.

That message has been repeated ad nauseum since the vulnerability was first revealed earlier this week.. Tumblr has asked its users to change their passwords. Mozilla has advised FireFox users who rely on the same password for multiple sites to do the same. So have the New York Times, the Wire, and countless other news sites. Again, in case the bleeding heart metaphor wasn't enough to convince you that this is a real problem: change all of your passwords. Now.

That's easier said than done, of course. While there are various tools that can generate strong passwords and keep them in sync across multiple platforms, there isn't an "Oh shit!" button that can automatically reset all of those passwords when something like this happens. It's up to you to remember all of the websites you've visited, the passwords you used for those sites, and to create new passwords that anyone knowing your old ones won't be able to guess. That's not necessarily a bad thing: having to manually change the passwords could help protect against any potential flaws hiding in the generators used by tools like 1Password or LastPass. (Note: I'm not saying the tools have flaws, I'm just saying they hypothetically could, company representatives.)

The good news is that passwords for services like Facebook and Gmail can be changed. It would be much harder to protect against compromised biometric security measures -- what are you gonna do, burn your finger tips and tattoo some new patterns onto them?

Having to change all of your passwords sucks. Not being able to adapt to compromises in the security measures that protect all of your personal information, however, would be even worse.

Reactions from around the Web

The Globe and Mail reports that many companies can't know if their information has been compromised:

'I don’t think anyone that had been using this technology is in a position to definitively say they weren’t compromised,' [Codenomicon CEO David] Chartier said.

Chartier and other computer security experts are advising people to consider changing all their online passwords.

'I would change every password everywhere because it’s possible something was sniffed out,' said Wolfgang Kandek, chief technology officer for Qualys, a maker of security-analysis software. 'You don’t know because an attack wouldn’t have left a distinct footprint.' The Los Angeles Times explains why you should change all passwords instead of waiting for a company to say that their servers were compromised:

The Heartbleed bug affects only one version of OpenSSL, and a fix for the problem has already been issued.

But the vulnerability was only recently discovered, and the affected version of OpenSSL has been around for two years. It is also impossible to trace whether a hacker has taken advantage of the bug to steal data from any websites and online services that were using the vulnerable version of OpenSSL. notes that changing your passwords only helps if you don't use the same password on vulnerable sites:

Unfortunately, there's nothing users can do to protect themselves if they visit a vulnerable website. The administrators of vulnerable websites will need to upgrade their software before users will be protected.

However, once an affected website has fixed the problem on their end, users can protect themselves by changing their passwords. Attackers might have intercepted user passwords in the meantime, and Felten says there's probably no way for users to tell whether anyone intercepted their passwords. The Wire imagines the two types of people who might be interested in exploiting this bug:

You know, anyone with basic programming skills who might want some sensitive user data at their finger tips. Or, as many have suggested, there are some government agencies known to have a fondness for collecting user information and web traffic in bulk. If they knew about it before its exposure, Heartbleed could have been a big Christmas present to those efforts. 
Pando weighs in

Pando's David Sirota wrote about the dangers of biometric security measures when Apple announced TouchID last year:

However, when the success of the iPhone inevitably leads to a future in which lots of different technologies in your life are locked and unlocked by a finite number of biometrics, then far more than your phone is at risk. The scale of such biometric security systems would mean your whole life could be held hostage because the locks and keys have been fundamentally changed.

Think about it in practical terms. Whereas in today's password-based system you can protect yourself after a security breach with a simple password change, in tomorrow's biometric-based system, you have far fewer - if any - ways to protect yourself after a security breach. That's because you cannot so easily change your fingers, your eyes or your face. They are basically permanent. Yes, it's true - security-wise, those biological characteristics may (and I stress "may") be less vulnerable to a hack than a password. But if and when they are hacked in a society reorganized around biometric security systems, those systems allow for far less damage control than does a password-based system. In effect, your physical identity is stolen - and you can't get it back.

[Image via Wikimedia