The right way to recover from the Heartbleed bug
Ever since the Internet exploded last week over the "Heartbleed bug," a critical flaw in commonly used security software called OpenSSL, many blogs, news sites and security firms have responded with rapid-fire advice about what you should do first.
After all, it's a serious problem: This bug allows hackers to glean dangerous amounts of personal information, including login information, from supposedly secure sites. And it's not a limited issue, confined to a small number of online locations, either: As many as two-thirds of all sites use OpenSSL and are therefore susceptible.
Don't simply begin changing passwords, even at critical sites like banking and other financial institutions. It's possible, of course, that the site isn't affected by Heartbleed at all. And if it is but hasn't yet updated its software, changing your password will have no effect. Worse, if you have to answer secret questions or enter other personal information in the process of changing your password, you could expose that data to hackers at the same time.
Instead, you should ensure that the site is ready for your password change.
Another option: A number of security services are tracking Heartbleed status as well. Password manager app LastPass, for example, has tried to get in front of the problem by releasing a tool that tells you the status of sites you use. Statuses include "go update" -- if the site has fixed its Heartbleed vulnerability and it's safe for you to change your password -- and "Wait," for sites that still need to complete that work.
Competing password manager Dashlane has expressed some concern about tools like this one, though. Specifically:
"Errors with these checkers are on the rise as websites are taking measures to close the connections when they detect them. When they're not being blocked, these checkers will tell you when a site has updated its SSL certificate only if the date that the new SSL certificate was employed was updated as well. But not all SSL certificate providers updated that date when they rolled out the new certificates. In short, looking at that date is not enough."
As a result, Dashlane is advising its users to wait 10 days before changing passwords, which should give sites sufficient time to close their Heartbleed vulnerabilities.
You can also test individual sites on a case-by-case basis to see if they're free of the Heartbleed bug. Enter the URL at Heartbleed test to get confirmation. You certainly won't want to do this for dozens of sites, but you can test a small handful of your most critical sites in this way.
Of course, when you do change your passwords, be sure tofollow our advice for creating strong, unique ones at every sites. Password security comes through length, so the longer the better, and you should use a mix of uppercase, lowercase, letters, numbers and symbols. Never repeat the same password at any two websites, and to keep track of your overwhelming number of logins, use a password manager like Dashlane, Lastpass or Roboform.
