Heartbleed Bug: Tech firms urge password resets

Several tech firms are urging people to change all their passwords after the discovery of a major security flaw.

Bad news. A major vulnerability, known as “Heartbleed”, has been disclosed for the technology that powers encryption across the majority of the internet. That includes Tumblr. We have no evidence of any breach. But this still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit

The Yahoo blogging platform Tumblr has advised the public to "change your passwords everywhere - especially your high-security services like email, file storage and banking". It follows news that a product used to safeguard data could be compromised to allow eavesdropping. OpenSSL is a popular cryptographic library used to digitally scramble sensitive data as it passes to and from computer servers so that only the service provider and the intended recipients can make sense of it. If OpenSSL is in use, you will see a padlock icon in your web browser when on secure sites, I.E. Emails, online banking etc.

Bruce Schneier, a security technologist said “On a scale of 1 to 10, this is an 11”. Experts stress that they have no evidence of cybercriminals having harvested the passwords, which you might consider a good thing but it is quite the opposite, since doing so would not leave a trail, unless the hackers published their haul online. Although it is highly advised before you go ahead and spend hours changing passwords everywhere that you should check which services have fixed the flaw.

Dr Steven Murdoch said "I think there is a low to medium risk that any given password has been compromised, It's not the same as previous breaches where there's been confirmed password lists posted to the internet. It's not as urgent as that. But changing your password is very easy. So it's not a bad idea but it's not something people have to rush out to do unless the service recommends you do so.

Security companies have developed tests that can reveal if a service remains vulnerable to the flaw, To check if the service is secure you can go to https://www.ssllabs.com/ssltest/index.html and type in the web address where it says ‘Domain Name:’ if it comes back with A’s / B’s then you have nothing to worry about, anything else you should change your password and security details.

Password Tips

Don't choose one obviously associated with you

Hackers can find out a lot about you from social media so if they are targeting you specifically and you choose, say, your pet's name you're in trouble.

Choose words that don't appear in a dictionary

Hackers can pre-calculate the encrypted forms of whole dictionaries and easily reverse engineer your password.

Use a mixture of unusual characters

You can use a word or phrase that you can easily remember but where characters are substituted, eg, Myd0gha2B1g3ars!

Have different passwords for different sites and systems

If hackers compromise one system you do not want them having the key to unlock all your other accounts.

Keep them safely

With multiple passwords it is tempting to write them down and carry them around with you. Better to use some form of secure password vault on your phone.

No rush

A researcher at the University of Cambridge Computer Laboratory said it would be an overreaction to say everyone should drop what they are doing to reset all their passwords, but that those concerned should still act.

If you have any questions then please do not hesitate to contact us