Infographic Shows Which Passwords Need to be Changed Because of Heartbleed

[dgstorm]

It's hard to disseminate all the info running rampant across the internet regarding the Heartbleed SSL vulnerability which has been the big media talk over the past week and a half. We mostly stayed away from the story to avoid spreading any "fear-mongering."

Still, that doesn't mean we don't want to offer some useful intel for you guys. We've been holding out so we could wait until much of the initial hype died down and something useful came along. The above infographic is precisely that. The cybersecurity experts at LWG Consulting have put together a handy infographic which gives details on which major websites/web-services we should change our passwords on ASAP. It also shows some websites that we can breathe easier about.

It's possible that this infographic isn't 100% exhaustive, but it should be a great starting reference. Many of the companies who own these websites are currently scrambling to fix the vulnerability. Some of them have already fixed the vulnerability, but the problem has been there for years, so it is best to change your password regardless.

Source: LWG

 

[VirtualCLD]

Is it worth changing the password on sites that haven't implemented a fix yet? It would seem that you're still vulnerable until the site has patched OpenSSL and reissued all of its certificates.

 

[dgstorm]

You make a very valid point VirtualCLD... it is possible that you will need to change your password again once all of these sites have corrected the vulnerability. It's probably still worth changing it now, and then again later on once that fix happens for all the sites. Some of these sites have already patched the problem. At the very least, if you change your password now, then if some bad guys have your old password stored in a database because of accessing it in the past, they will be wrong.

 

[johnomaz]

Though I changed my passwords for the sites I'm affected with, the important ones I use a 2 step process for anyways so if someone tried to log in under my account, they would need my unique code that changes every 30 seconds. But did anyways just to be safe.

 

[VirtualCLD]

You make a very valid point VirtualCLD... it is possible that you will need to change your password again once all of these sites have corrected the vulnerability. It's probably still worth changing it now, and then again later on once that fix happens for all the sites. Some of these sites have already patched the problem. At the very least, if you change your password now, then if some bad guys have your old password stored in a database because of accessing it in the past, they will be wrong.

You also raise a good point. I think it's time to reconsider a password manager, since I am having trouble remembering all of these different passwords for each site. My only concern is I can't use one at work when I want to access some personal sites and I don't know how secure it would be to have all of these passwords stored together on a remote server. Probably better than the situation I'm in now though.

 

[dgstorm]

I've been thinking about a password manager myself too. I use so many different passwords that sometimes I get them confused and have to "hack" myself! lol!

 

[johnomaz]

Honestly, I don't trust password managers. Its one of those things that you wonder if they are secretly sending your passwords back to themselves.

 

[dgstorm]

I've wondered the same thing too. That's probably why I haven't tried one yet.

 

[BMWBig6]

Thanks for sharing, but is there a bigger version of that image? I checked LWG's site and can't find the report. I can barely read the text in the version hosted here.

 

[jpiarull]

I received an email from Norton that has a website vulnerability tool. Tests a webpage to see if it was affected by the virus. I tried numerous ones, including ones that suggest changes. Tool claims those websites were OK, besides the ones unaffected. Obviously you should change passwords quite often, using alphanumeric combos with special characters(if allowed by host-site).

Joseph

Sent from my SCH-I545 using Droid Forums

 

[mslaceyrose]

You also raise a good point. I think it's time to reconsider a password manager, since I am having trouble remembering all of these different passwords for each site. My only concern is I can't use one at work when I want to access some personal sites and I don't know how secure it would be to have all of these passwords stored together on a remote server. Probably better than the situation I'm in now though.

I've been thinking about a password manager myself too. I use so many different passwords that sometimes I get them confused and have to "hack" myself! lol!

Honestly, I don't trust password managers. Its one of those things that you wonder if they are secretly sending your passwords back to themselves.

I've never completely trusted password managers either, so I have an Evernote file with all my passwords, but I have them in code, like little riddles, that only I would be able to decipher (yeah, I'm paranoid, lol)

However, with this Heartbleed situation, and after reading the article linked below, I'm going to temporarily use one. According to the article, LastPass, having updated recently to include a feature that will check every one of your stored sites, will tell you which ones have patched the vulnerability and updated certificates. It looks like it makes it really easy. It will say either "Go ahead and change your password" for each site that's been fully patched, or "wait" for ones that have not yet patched. This is important because, as VirtualCLD noted, changing passwords before a site has patched will still leave you vulnerable. (regarding that, though, I think dgstorm's rationale for changing passwords on ALL vulnerable sites now, then changing them again after the site implements the patches, is sound advice)
Worried about Heartbleed? LastPass' Security Check has you covered | ZDNet