Bad Ideas

Changing Your Password Won’t Save You From Heartbleed

And nobody should be saying it will.
Heartbleed, the security exploit with a cute logo. (photo via heartbleed.com)

Heartbleed, the security exploit with a cute logo. (photo via heartbleed.com)

This past Monday, the world was introduced to Heartbleed, a bug in OpenSSL that allowed hackers to access sensitive user data.

OpenSSL is an an encryption tool installed on servers hosting as much as two thirds of the entire Internet, including sites like Yahoo! Mail and OKCupid. The Heartbleed bug allows a hacker to look through the memory of these sites to find what should be protected information.

This kind of pandemic web security exploit is unprecedented, to say the least.

“‘Catastrophic’ is the right word,” wrote web security blogger Bruce Shneier on his site. “On the scale of 1 to 10, this is an 11.”

While some have reported that you should run around changing your passwords, programmers and systems engineers say that won’t do you any good:

The fact is, changing your password doesn’t magically undo this massive vulnerability in OpenSSL. Before your information is safe from Heartbleed, the affected companies have to update OpenSSL with the latest patch, which was released Monday. If those companies haven’t updated their software, changing your password won’t do you any good.

Until then, your best defense is just to keep the hell away from affected sites, which you can identify with this convenient web app.

Follow Jack Smith IV on Twitter or via RSS. jsmith@observer.com