[Owasp-ireland] Heartbleed Bug - Password change?

Fabio Cerullo fcerullo at owasp.org
Thu Apr 10 10:42:10 UTC 2014


hi there,

The current situation with the Heartbleed bug is quite confusing.

And on top of that, the media are now suggesting all users to change their
passwords NOW - see BBC link below (similar one today in Metro):

http://www.bbc.com/news/technology-26954540

Since the news about Heartbleed erupted earlier this week, several people
asked me whether they need to change their passwords straightaway.

The short answer is, it depends. If the affected website has patched the
server and changed their public/private keys then it makes absolute sense
to change the passwords.

So first, check which sites you use are affected. If you don't want to read
through the long list of websites with the security flaw, the password
security firm LastPass has set up a Heartbleed Checker, which lets you
enter the URL of any website to check its vulnerability to the bug and if
the site has issued a patch.

https://lastpass.com/heartbleed/

Next, change your passwords for sites that were affected by Heartbleed but
patched the problem. However, if the site or service hasn't patched the
flaw yet, there's no point to changing your password. Instead, ask the
company when it expects to push out a fix to deal with Heartbleed.

Hope this helps.

Fabio
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-ireland/attachments/20140410/54f36fea/attachment.html>


More information about the Owasp-ireland mailing list