Resetting All Passwords Now May Be Worst Heartbleed Fix

Heartbleed. ItEUs going to go down in history as one of the worst bugs ever. Heartbleed could give hackers access to user passwords and even trick people into using fake versions of popular Web sites.

Security engineers at Codenomicon who found the bug are reporting that the vulnerability is in the OpenSSL cryptographic software library. The weakness, they said, steals information typically protected by the SSL/TLS encryption used to secure the Internet.

But is changing all your passwords the right response? According to independent security analyst Graham Cluley, itEUs not always the best move.

EUThe danger is that if you change your passwords before a Web site has been fixed, you might actually be exposing your credentials to greater risk of being snarfled up by people exploiting the vulnerability in the buggy versions of OpenSSL,EU he wrote in a blog post. EUDonEUt forget -- there are an awful lot more people now testing to see how well the vulnerability can be exploited now that details are public. Sadly, mainstream media are proving to be a little guilty of parroting the advice of the likes of Tumblr.EU

Back to Online Identity Basics

We caught up with Matt Willems, a labs engineer at security software firm LogRhythm, to get his take on the password issue. He told us, first of all, that Heartbleed allows attackers to see a portion of the contents of memory of the vulnerable server.

EUThis may be garbage or useless data, but it could be usernames and passwords of users and administrators or other sensitive data,EU Willems said. EUThis particular vulnerability still exists in many locations, so changing your password may just mean that the new password is vulnerable.EU

As Willems sees it, the strongest advice is to follow normal best practices for online identity information. That, he said, means changing your passwords regularly...

Comments are closed.