There has been a lot of talk, confusion, and misinformation about the Heartbleed bug, what it is, what it does, and what to do about it. Hopefully, this article will help set the record straight. Before we can address the question posed by the title of this article though, a bit of background is necessary.
What Is Heartbleed?
Without going into the mind-numbing technical details of the bug, when you're surfing on some websites, you've probably noticed a little “padlock” icon in the upper left hand corner of your browser window. That little icon is the visual representation of something called the “SSL.” SSL stands for “Secure Socket Layer,” and it was designed to make it so you could do things like shop online without broadcasting your credit card info all over creation, or enter your banking password without worrying that someone could scoop it up and hack you. In short then, “Pretty Important Stuff,” as far as life on the internet goes.
Except that there was a problem. Two years ago when some incremental changes were being made to the SSL, a bug got introduced and went undetected. This bug made it possible for hackers to “tunnel past” the padlock and get to your information after all. That would have been bad enough on its own, but as mentioned, this happened two years ago. On the internet, that's half of forever, so the bug has been out there for a very long time.
The good news is, once it was discovered, it was quickly addressed, a security patch created to close that hole. The companies impacted have been quick to apply the patch, so at least from that perspective, problem solved.
But What About My Passwords?
If you are following a reasonable password security system yourself, you should be changing all your passwords every 60 to 90 days anyway. The unfortunate reality, however, is that fewer than 10% of home users actually do this. In any case, the safest course of action would be to use this opportunity to change all of your passwords, everywhere, and call it done. This is not, however, strictly required, and if you would like a more refined approach, here's what you should do:
Start here: http://heartbleed.com/ for all the latest information on the bug. To test to see if a particular site is vulnerable to the attack, head here: https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp?sl=QWHND-0000-01-00
If you discover that a site you use is vulnerable, then changing your password on that site won't actually do you any good, until they patch the security hole. On the other hand, if you tend to use the same password on every site, you may want to change it to something radically different, then change it again once the vulnerability has been addressed. One thing is certain, however. You should write the owners of the site and ask that they fix the problem before using it regularly again. Just in case.
Password Security Tips
I used to work in IT, and I know that it's fairly common practice for people to use the same password across all the sites they visit, because doing anything else makes it a nightmare to remember them all. Here's a tip that will make you more secure. Consider this an added bonus for reading all the way to the end.
Start with a password you'll use on every site. For the sake of example, let's say your password is “B@tman1.”
For every site you visit, use that, but add a prefix to the beginning. The prefix will be the first four characters (or five, or three...something) of the site you're visiting. So for example, your Yahoo mail password would then become “yahoB@tman1,” BB&T's login password would then be “bbtB@tman1” and so on. It's not a perfect solution of course, but it's worlds better than using the exact same password everywhere, which is what most casual, and even not so casual, internet users are in the habit of doing.
