This week there’s little question that the internet security world has been tossed down a flight of stairs. With Heartbleed, a relatively major bit of a mistake was made in OpenSSL, a form of security that most of the internet uses, resulting in a major open door for hackers and spies of all kinds. With this bug having only been discovered this week and implemented a whopping two years ago, IT professionals are notably miffed.
But what should you do? Should you change all of your passwords right this minute? Absolutely not. As we’ve explained briefly in another one of our recent posts on Heartbleed, changing your password when a website is still vulnerable to Heartbleed is like changing the lock on your door when the villain still has a skeleton key.
Instead, you should go through the following three steps if you’re worried about security on the web today because of Heartbleed.
2. If the site is not vulnerable, skip to step 3. If the site IS vulnerable, do NOT change your password. Return to step 1 as often as you feel is necessary, and do not proceed to step 3 until the site is not vulnerable.
3. Change your password.
In all honesty, the Heartbleed bug - also known as CVE-2014-0160 - hasn’t likely affected you at all. I’ve been comparing worrying about Heartbleed to worrying about the NSA spying on you: unless you’re particularly notable to some hacker or another, it’s likely you’re not of interest. In other words: you probably weren’t a victim at any point anyway.
But stay vigilant anyway! When the sites you use are patched - immediately if not soon - you should change your passwords to something new. You should be doing this every once in a while anyway as the web is full of creepy crawlies that may also want to ruin your day just for fun. Stay safe!