What you need to know about Heartbleed and changing your passwords

Interesting Engineering

heartbleed-featured[Image Source: Heartbleed]

So you may have heard about Heartbleed lately and all your friends may be telling you to change all your passwords. However, before changing your passwords, you need to know that the website in question has taken all the necessary steps to protect itself from Heartbleed, otherwise your new password will remain just as vulnerable. Some lists floating around telling you that sites are ready for password changes however have not checked all the necessary security steps. Read on to find out more:

P.S. We are going to (try to) explain exactly what the Heartbleed security breach is in a way that everyone can understand and also let you know the important points of where and when you should change your password.

What is the Heartbleed bug?

Web comic xkcd sketched up a little cartoon that explains Heartbleed in the simplest fashion we've seen:

Firstly, you need to know that web security is provided by software known as OpenSSL (secure sockets layer), which encrypts (scrambles) the data sent to and from a user's computer and the websites server (where the website is hosted/stored). So importantly, think of things such as usernames, passwords and even credit card and address details that you would submit to online forms, that would travel from your computer to the websites server.

Heartbleed takes advantage of something known as the "heartbeat" between the user's computer and the websites server - basically, when you access a website the website will respond to let your computer know that it is active and awaiting your requests with a heartbeat. The heartbeat is supposed to be a response equal to the amount of data that your computer sent when making the request. However, a bug in the software allows hackers to request more data from the servers memory beyond the total data of the initial request up to 65 536 bytes.  This extra information received in the request may contain anything from passwords to credit card details that other people have sent (see the cartoon above).

The Heartbleed bug is said to be an honest mistake made by programmer Robin Seggelmann, who added to the open source software, OpenSSL, on New Years Eve 2011. This means that the security hole has been around for more than 2 years now and the worst part is that there is no way to tell if a hacker has made a request for extra information from the heartbeat. In other words, there's no way to tell if anyone has ever stolen passwords or other sensitive information from a website.

Most Popular

When Should I Change My Password?

Many websites are offering lists that offer advice on which websites you should change and whether you should change your password yet. However, many security experts (such as Bruce SchneierTroy Hunt and the folks at AgileBits), say that you need to check three things:

  1. The site (or hardware/app as Heartbleed affects more than websites) was using a version of OpenSSL that was actually vulnerable to Heartbleed (versions 1.0.1 March 2012 through to 1.0.1f). The version containing the fix is 1.0.1g which was released April 7 2014.
  2. The site patched the OpenSSL bug.
  3. The site renewed the security keys and then issued a new security (SSL) certificate.

If this is all a bit too mumbo jumbo for you, it is being reported that LastPass's Heartbleed checker is currently the most reliable checking method if you cannot check yourself manually. For a more in depth look into making sure a site is ready for password changes, head over to ITWorld.

Some lists on the internet of sites that you need to change your password for have only checked that the websites have patched the OpenSSL bug for example and have not checked if new security (SSL) certificates have been issued. As it is impossible to tell if a server has been the victim of a Heartbleed attack, it is unclear whether a hacker may have downloaded security keys, which would still leave the website vulnerable if the three steps above have not been completed.

— Fedor Indutny (@indutny) 11 Nisan 2014

Recently, content distribution network Cloudflare looked into the seriousness of the bug by getting its researchers to try and utilise Heartbleed to obtain SSL security keys and failing. However, when they put the challenge to the public, a hacker from the Node.js team known as Fedor was able to successfully retrieve the private SSL keys.

We hope this helps your understanding of Heartbleed and that you will do the necessary and timed password changes to ensure your security online. As a final point, we would like to remind you not to use the same password for all websites as this could be disastrous. If you cannot keep track of so many different passwords then we recommend using a program like LastPass.

Also, check out the Logme Once Kickstarter campaign which offers a password manager, digital security, as well as a secure USB storage device and mobile battery charger in one package:

LogmeOnce fulfills an everyday need. Who isn’t worried these days about getting hacked, forgetting their passwords, or just being vulnerable because they have weak passwords? LogmeOnce offers a secure, easy-to-use alternative to these concerns and hastily written passwords on scraps of paper

message circleSHOW COMMENT (1)chevron