Warning over Heartbleed bug
Warning over Heartbleed bug: Switching passwords early ‘is a boost security breach’
Rushing to change internet passwords in the wake of the Heartbleed bug could make matters worse, security experts warn.
The advice is the opposite to that from websites such as Tumblr, owned by Yahoo!, which urged users to change all passwords – especially those protecting sensitive data – immediately.
But Hugh Boyes, cyber security head at the British-based Institution of Engineering and Technology said: ‘Change your passwords – but only after the affected website operators and internet service providers have implemented the patch to fix the bug. Changing your password before the bug is fixed could compromise your new password.’
However, Mr Boyes also recommended changing passwords monthly or quarterly, depending on the sensitivity of the website or application.
‘Don’t reuse the same passwords on different websites. Try to use a separate password for each website,’ he added.
Heartbleed had gone undetected for more than two years until it was discovered on Monday by a team of security experts, including one from Google. The bug bypasses encryption that normally protects data as it is sent between computers and servers, seen as a padlock on the screen, leaving personal and sensitive data vulnerable.
Independent security expert Bruce Schneier has also called for calm, but emphasised the seriousness of the web security breach.
‘Catastrophic is the right word,’ he added.
‘On the scale of one to ten, this is an 11. Half a million sites are vulnerable, including my own.’
Users can test a website’s vulnerability to the bug on a website by developer Filippo Valsorda
Heartbleed OpenSSL security bug