Heartbleed: should you change your passwords?
I suppose many of you more tech-savvy than I am (which would probably include about 98% of you) already know about the Heartbleed encrypting bug. I’ve read a lot of conflicting information about whether to change your passwords in order to protect yourself, but this article seems to offer the best and most current advice, as of today.
It lists websites that have patched the bug already, and strongly suggests you change your passwords for those sites. Yahoo, for example, is one. Then it lists websites that never were vulnerable in the first place, such as Paypal.
I know people who refuse to do any sort of business online, but most of us have been lulled into it by the convenience of the whole thing. Plus, since so many businesses use computers themselves, I think people feel vulnerable (and perhaps rightly so) no matter what method they use to transact their affairs. The days of cash under the mattress and over the counter still exist, but for most of us they are long gone. We leave a trail wherever we go, not just on computers but on telephones and cameras, at tollbooths and with credit cards. The internet is just one aspect of that.
As I read the list, I realized how little social media/internet interaction I’m involved in (which is probably odd for someone my age – mid twenties). I do have a Yahoo account, but they forced me to change my password a bit ago when this was discovered. Just a couple others to be safe, and not much of a hassle for me.
I wonder if this is merely what happens when the major Democrat tech companies gave the NSA and Obama Regime the keys to their encryption methods and databases. And they are just calling it a “bug”.
I know about this given that some companies that deal in encrypted internet mail accounts refused to hand over their keys and thus ended up dismantled.
Google, YouTube and Gmail
Facebook
Yahoo, Yahoo Mail, Tumblr, Flickr
OKCupid
Wikipedia
Google is in the pocket with the Left, they were seen liaisoning with the Regime on several key factors.
FB gave people a mirror copy of their servers, and their server pics are mirrored in INdia anyways.
Yahoo is quieter than Google, but trying to emulate Google.
OkCupid…. yea, we know where that one goes.
Does anyone know when this particular bug was discovered? I just heard about it a couple of days ago, but from some comments, it seemed that the bug was discovered several months ago and that sites like Yahoo had already asked their users to make the change. I know I was asked to change my pw a couple of months ago, but don’t know what security problem it was addressing. Do I need to make another round of changes?
I change passwords every month. I’m paranoid. 😉
Thanks for the link. That was helpful.
I find most of the stuff about computer networking and security to be utterly incomprehensible. They may as well be speaking Chinese as far as I’m concerned. I don’t have the first clue about any of this stuff.
From the CNN link, it looks like it’s mostly social networking sites that are affected. That’s good for me, since I’m not involved with them. I do have a YouTube account which I have used for commenting (I don’t have my own YouTube page), but I haven’t used it in months since they started asking for my full name when I try to log in. There’s an excellent chance I’ll never use it again. So I don’t know whether I need to change my password.
I tried to log in a few minutes ago and got a Google login page. I closed the tab instead.
My bank isn’t listed, but it’s a regional bank and I’m sure the list isn’t exhaustive. They haven’t contacted me about this.
Also, I don’t trust CNN to report the “news” accurately, so I don’t know how much I should trust their list.
I wonder whether blogs are also affected. I haven’t heard anything about that.
I forgot to say that I have a couple of passwords that I use which I think are pretty secure. They’re a combination of letters and numbers that make sense to me and are easy to remember, but are probably hard to guess. I’d hate to have to abandon them.
The following site has a much longer list:
http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/
Rickl, could switch them on a rotation or combine them together.
As some general advice, the things that can be used to link your information together is your birthday, don’t give your real birthday unless it’s absolutely necessary, such as credit cards or bank transfers.
Your social security. Your address. Your gender. The exact spelling of your full name.
The most treasure trove if someone breaks into your password is probably your email account, like someone digging through your mail for your bank account number.
Your email account has those various subscription and notices your online bank sends out, your so and so, and often has your account name on it. Once they figure out your accounts are linked, they can crack the password using brute force if the system doesn’t deny them log in attempts.
Open SSL or secured transmission is merely that HTTPS people see up top. So when people see it, they think it’s legit and not a fishing site. The bug thus makes it so that HTTPS sites are fishing sites, potentially, for your info.
A lot of email hackers are somehow from China, and probably doing it to send spam to your contacts for money. But some of them are from the US government (plea dealed hackers) or Democrat operatives like the ones that cracked Palin’s account.
Almost all the stuff people put on Facebook can be used to data mine their other contacts and background.
That’s too difficult to say, since that would require tracing security developer’s personal conversations. The important date is OpenSSL’s announcement, which is dated April 7, 2014. People had been moving to get OpenSSL itself fixed prior to that, but actually implementing the fix on all those services around the world would’ve started after the 7th.
If you were asked to change your password prior to the 7th, then that had to have been for some other reason. Until servers were patched, this bug opened the door to data leakage, so even if someone changed their passwords on the 6th, they’d need to change them again (yes, that’s a pain. I totally understand), even though it’s only been a few days.
Now, just because the bug existed doesn’t mean that a site was guaranteed to have been mined for information. Since this was a memory leak bug, it’s actually likely that malicious programmers ended up getting an awful lot of irrelevant noise before they dug up certificates, passwords, session keys, etc., but the reason everyone’s taking it so seriously is because it wouldn’t have left any trace of any data theft, so every site owner has to presume theft was possible.
Wait until a site says they’re “fixed” (“patched”, “updated”, whatever) before changing passwords. Changing your credential before a site is fixed is just risking it all over again.
Yeah, this is a pain. For us in the IT profession, it’s an even bigger one.
Thanks E.M.H. That was very clear … and off I go to change some passwords.