Post: What the Heartbleed Bug Is and Why You Need to Change Your Passwords Now
Options
04-10-2014, 05:57 PM
#1
Alt
Banned
You must login or register to view this content.
What Is Heartbleed and Why Is It So Dangerous?
In your typical security breach, a single company’s user records/passwords are exposed. That’s awful when it happens, but it’s an isolated affair. Company X has a security breach, they issue a warning to their users, and the people like us remind everyone it’s time to start practicing good security hygiene and update their passwords. Those, unfortunately, typical breaches are bad enough as it is. The Heartbleed Bug is something much, much, worse.
The Heartbleed Bug undermines the very encryption scheme that protects us while we email, bank, and otherwise interact with websites we believe to be secure. You must login or register to view this content., the security group that discovered and alerted the public to the bug:
Originally posted by another user
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
That sounds pretty bad, yes? It sounds even worse when you realize roughly two-thirds of all websites using SSL are using this vulnerable version of OpenSSL. We’re not talking small time sites like hot rod forums or collectible card game swap sites, we’re talking banks, credit card companies, major e-retailers and e-mail providers. Worse yet, this vulnerability has been in the wild for around two years. That’s two years someone with the appropriate knowledge and skills could have been tapping into the login credentials and private communications of a service you use (and, according to the testing conducted by Codenomicon, doing it without a trace).
Although no group has come forward to flaunt all the credentials and information they siphoned up with the exploit, at this point in the game you have to assume that the login credentials for the web sites you frequent have been compromised.
What to Do Post Heartbleed Bug
Any majority security breach (and this certainly qualifies on a grand scale) requires you to assess your password management practices. Given the wide reach of the Heartbleed Bug this is a perfect opportunity to review an already smooth-running password management system or, if you’ve been dragging your feet, to set one up.
Before you dive into immediately changing your passwords, be aware that the vulnerability is only patched if the company has upgraded to the new version of OpenSSL. The story broke on Monday, and if you rushed out to immediately change your passwords on every site, most of them would still have been running the vulnerable version of OpenSSL.
It looks like this weekend is shaping up to be a good weekend to get serious about updating your passwords. First, you need a password management system.
You need to start changing your passwords. is a great way to ensure you don’t miss any passwords; Here it highlights the basics of good password hygiene, quoted here:
Originally posted by another user
Passwords should always be longer than the minimum the service allows for.
If the service in question allows for 6-20 character passwords go for the longest password you can remember.
Do not use dictionary words as part of your password.
Your password should never be so simple that a cursory scan with a dictionary file would reveal it. Never include your name, part of the login or email, or other easily identifiable items like your company name or street name. Also avoid using common keyboard combinations like “qwerty” or “asdf” as part of your password.
Use passphrases instead of passwords.
If you’re not using a password manager to remember really random passwords (yes, we realize we’re really harping on the idea of using a password manager) then you can remember stronger passwords by turning them into passphrases. For your Amazon account, for example, you could create the easily remember passphrase “I love to read books” and then crunch that into a password like “!luv2ReadBkz”. It’s easy to remember and it’s fairly strong.
If the service in question allows for 6-20 character passwords go for the longest password you can remember.
Do not use dictionary words as part of your password.
Your password should never be so simple that a cursory scan with a dictionary file would reveal it. Never include your name, part of the login or email, or other easily identifiable items like your company name or street name. Also avoid using common keyboard combinations like “qwerty” or “asdf” as part of your password.
Use passphrases instead of passwords.
If you’re not using a password manager to remember really random passwords (yes, we realize we’re really harping on the idea of using a password manager) then you can remember stronger passwords by turning them into passphrases. For your Amazon account, for example, you could create the easily remember passphrase “I love to read books” and then crunch that into a password like “!luv2ReadBkz”. It’s easy to remember and it’s fairly strong.
Security vulnerabilities, especially ones with such far reaching implications, are never fun but they do offer an opportunity for us to tighten our password practices and ensure that unique and strong passwords keep the damage, when it occurs, contained.
You must login or register to view this content.
You can check out this website You must login or register to view this content. to see if it affects any websites you use.
- Alt
04-10-2014, 09:18 PM
#2
Joel
[move]
:madsal::laim:[/move]
:madsal::laim:[/move]
Well, it's good to hear some news like this. The most important fact is keeping different kinds of password on different websites and always make sure the emails someone uses is private hosted from their domain. Now that this news is out, the NSA can go into any site just to read text messages and such from companies.
04-10-2014, 09:39 PM
#3
TheyCallMeFox
Gym leader
04-10-2014, 09:42 PM
#4
ResistTheSun
In Flames Much?
Media hysteria, I love it not!
Changing your password without the server being patched means people can still exploit that loophole. Given how this has been around for say 2 years odd with no major reports. Goes to show that most hackers did not know about it, but given the Hysteria they do now.
So it's a race to patch this before people find sites with holes in place.
What's more if your card had been used you would know about it by now same with some other information.
Does go to show you that even the major bits of code can be broken and exploited. Vulnerable world we live in even the most basic protocol can be broken.
This bit like the Y2K bug in my mind tons of fuss with no reason.
Changing your password without the server being patched means people can still exploit that loophole. Given how this has been around for say 2 years odd with no major reports. Goes to show that most hackers did not know about it, but given the Hysteria they do now.
So it's a race to patch this before people find sites with holes in place.
What's more if your card had been used you would know about it by now same with some other information.
Does go to show you that even the major bits of code can be broken and exploited. Vulnerable world we live in even the most basic protocol can be broken.
This bit like the Y2K bug in my mind tons of fuss with no reason.
The following user thanked ResistTheSun for this useful post:
04-10-2014, 09:49 PM
#5
Originally posted by TheyCallMeFox
Sorry to sound really nooby but was this bug only found now? Haven't the big companies been using this OpenSSL for years?
Yes that's what so severe about this vulnerability. It has just been recently found and has been around for several years in certain versions of openSSL.
04-10-2014, 10:27 PM
#6
cookiemonster55
Grunt
Originally posted by ResistTheSun
Media hysteria, I love it not!
Changing your password without the server being patched means people can still exploit that loophole. Given how this has been around for say 2 years odd with no major reports. Goes to show that most hackers did not know about it, but given the Hysteria they do now.
So it's a race to patch this before people find sites with holes in place.
What's more if your card had been used you would know about it by now same with some other information.
Does go to show you that even the major bits of code can be broken and exploited. Vulnerable world we live in even the most basic protocol can be broken.
This bit like the Y2K bug in my mind tons of fuss with no reason.
Changing your password without the server being patched means people can still exploit that loophole. Given how this has been around for say 2 years odd with no major reports. Goes to show that most hackers did not know about it, but given the Hysteria they do now.
So it's a race to patch this before people find sites with holes in place.
What's more if your card had been used you would know about it by now same with some other information.
Does go to show you that even the major bits of code can be broken and exploited. Vulnerable world we live in even the most basic protocol can be broken.
This bit like the Y2K bug in my mind tons of fuss with no reason.
You are only partly right. Not ever hacker wants to deface a site as soon as they get access to the backend panel. This particular bug allows them to tap right into encrypted data and take whatever they want. Would you want to go around bragging about that when you could have millions of $$ at your disposal? I wouldn't, I'd keep it a secret as long as I could.
04-10-2014, 10:29 PM
#7
Toke
PC Master Race
Originally posted by ResistTheSun
Media hysteria, I love it not!
Changing your password without the server being patched means people can still exploit that loophole. Given how this has been around for say 2 years odd with no major reports. Goes to show that most hackers did not know about it, but given the Hysteria they do now.
So it's a race to patch this before people find sites with holes in place.
What's more if your card had been used you would know about it by now same with some other information.
Does go to show you that even the major bits of code can be broken and exploited. Vulnerable world we live in even the most basic protocol can be broken.
This bit like the Y2K bug in my mind tons of fuss with no reason.
Changing your password without the server being patched means people can still exploit that loophole. Given how this has been around for say 2 years odd with no major reports. Goes to show that most hackers did not know about it, but given the Hysteria they do now.
So it's a race to patch this before people find sites with holes in place.
What's more if your card had been used you would know about it by now same with some other information.
Does go to show you that even the major bits of code can be broken and exploited. Vulnerable world we live in even the most basic protocol can be broken.
This bit like the Y2K bug in my mind tons of fuss with no reason.
It only really infortant to change them if they are important like email or have money involved like PayPal otherwise everyone's really overreacting
Copyright © 2026, NextGenUpdate.
All Rights Reserved.
