Do not rush to change all your passwords! (It all depends on timing…)

Heartbleed

Let me qualify that statement. I have heard and seen many knee jerk reactions from “professionals” that state we should all rush out to change our banking and social media passwords. The first question we should be asking is, what, who, why. The second, do I need to make a change right away, if at all.

##What systems are affected?##

Simple. All systems that use the OpenSSL security certificate service.

Who is affected by the Heartbleed issue?

Those who CURRENTLY use the OpenSSL service and have not yet patch their systems against the vulnerability. The issue is with those who actually use the system, this issue doesn’t affect the whole internet, it isn’t the wwww (whole www).

##Why should I change my password?##

You should be updating your online (desktop too) passwords on a regular basis anyway, this can be your best personal security when dealing with login systems, over the time you make use on any system. It doesn’t count if you swap a well structured password for a badly thought up one. Changing your password is a personal enterprise and should contain a mixture of alphabetical characters and numbers; if the system is good it should allow you to include special characters, if it does, use them. Change your password if it is a poor one, a dictionary word or made of sequential numbers. Some systems force you to use just numbers, like banks, so there is nothing you can do, just don’t use 1,2,3,4 or similar.

##Do I need to change my password now?##

In the case of the Heartbleed issue, it is not advised to immediately change your password without thinking it through. How can I say that? Well, if you think you are securing your account(s) by changing passwords now, how do you know if the system in question has been patched (fixed)? If it hasn’t, you are still in the same situation as before, and you just wasted a new password.

##So, what to do?##

Check to see who might be affected on a case-by-case basis. There is no point checking everyone, just those you use. You might use a tool like this one at: http://filippo.io/Heartbleed/#www.noxidsoft.com If the website returns that everything is okay, then it likely is okay to continue to use that service. It may mean that the website doesn’t use the OpenSSL service at all or they have patched their vulnerable version. If the website returns a message that something went wrong, it might mean that they are vulnerable, or it might mean that they are just blocking the query. So, to set yourself at ease, especially when it comes to a bank and your money, phone them and ask. If you are just nervous, make a phone call to the institution to get confirmation that everything is okay. But, do I need to change my password?

Immediately, no. But, you might use the link above to do a quick check, then make your move. If an institution makes a public announcement to not use their service until they have fixed the problem, then don’t use the service until they have fixed it. Beware of scam emails and phone calls that you haven’t initiated. Only change your password after you are sure that the affected system has been patched (fixed).

##Final word##

If the service wasn’t affected, then why change your password? Just follow your normal policy on passwords.

More info at the dedicated website: http://heartbleed.com/