Heartbleed: Which passwords you should change right now

Security researchers can all agree on one thing: the Heartbleed bug is probably the most significant and dangerous vulnerability to ever hit the internet. What’s odd about Heartbleed, though, is that due to the nature of the vulnerability — because it essentially means that hackers could eavesdrop on almost everything you’ve done in the last two years — no one seems to agree on what you should do to protect yourself. Do you change your passwords? Or wait? Or do something else entirely? Read on, and I’ll tell you.

Should you change your password?

Before you change your password due to the Heartbleed bug, there are two factors you need to consider. First, was the website affected by the Heartbleed bug in the first place? Second, if it was affected, has that website installed a new version of OpenSSL (which fixes the bug), and has the website updated its security (encryption) certificates?

If the website did not use a vulnerable version of OpenSSL, you don’t need to change your password. So far, Microsoft, AOL, and LinkedIn have said they did not use the offending software, and that you are safe. The one exception to this rule is if you used the same password across multiple websites, in which case you should change your password. (You should always use different passwords for every website, but we’ll talk more about that in the next section.)
If the website was vulnerable to the Heartbleed bug, the situation is more complex. If the website says it has fixed the bug, and installed new security certificates, then it’s safe to change your password. If not, you must wait. If you change your password on a website still vulnerable to the Heartbleed bug, your password (and other sensitive details) could still be obtained by hackers.

The problem is, many web service providers are still scrambling to suss out whether they’re vulnerable, and to roll out fixes if they were. As a result, many thousands or millions of websites haven’t yet made a public announcement about whether it’s safe to use their services again. Of the big web service providers, Yahoo, Google, Facebook, and Dropbox were all vulnerable to the Heartbleed bug, but it is now be safe to change your passwords for these sites and all related services.

For other sites, your best bet is to visit the website’s blog or Twitter feed and look for announcements. Mashable has a list of some websites that have publicly announced their Heartbleed bug status, but I’m dubious about some of the information there (not a single bank admitted to being vulnerable). On Github, you can find a list of large websites that were vulnerable to Heartbleed a couple of days ago, which you can use as a starting point.

LastPass: Heartbleed security check

There is an easier solution

In short, the Heartbleed bug and its repercussions are complex. Instead of spending the next few days and weeks checking your favorite websites to see if they’ve plugged the vulnerability, though, there is an easier solution: Start using LastPass.

LastPass, if you’ve never used it before, is the best cross-platform password manager in the world — and it’s free to boot. LastPass uses a different password for each of your various web apps and services, so that even if hackers get their hands on one password, they can’t go any further. More importantly, though, LastPass now includes a tool that checks all of your websites to see if they are vulnerable to Heartbleed, and whether they’ve updated their security certificates.

If you use a large number of web services it will take a little time to switch all of those passwords over to the LastPass Vault, but it’s worth it. Really, given the shoddy security practices of many large companies, and the shocking regularity of their databases getting hacked, you should use a password manager like LastPass if you care about your online security and privacy.