Heartbleed bug: which passwords should you change?

heartbleed_2876718bThe internet security bug known as “heartbleed” announced this week has stunned everyone since it affects more than half a million widely-trusted websites and has been in place for about two years before being identified. (Please share this information with anyone who you think may not be aware of what action to take.)

Some security experts are advising changing all of your passwords, but before you do, here’s what you need to know:

French-test.com and Kwiziq.com

Were we affected: Yes

Has it been patched: Yes

Do you need to change your password: Almost certainly not (see below).

Technical details: We’re not advising users to change passwords with us; however, you should check the list of sites below and change any that store sensitive information about you, especially financial details like credit cards. Our sites are not high-risk because:

1. We generate a random initial password for you. This guarantees your password with us is different to your other accounts and therefore can’t be stolen and used to access any other sites.

2. We don’t store any "stealable" information about you, just your email address. For example, we never store payment card details; they’re all held by PayPal (who, by the way, were not affected by this bug).

3. We’re still quite new and small and extremely unlikely to be a target.

4. However, if you want to play on the safe side, you can easily change your password here.

Which passwords on other sites should you change?

Firstly, there’s no point changing passwords with any site until they have confirmed they have patched the problem.

Here’s a brief explanation of the problem. There are two types of web pages: secure web pages (these have https:// at the beginning and the ‘s’ means secure) and then plain text web pages (beginning with http://). Most websites serve a combination of these, only switching to secure connections when dealing with sensitive information such as logging in, passwords, card transactions, etc. All other web pages are sent over the internet plain text and can be "snooped".

The heartbleed bug means that a hacker who knows of the bug and how to exploit it (which is not easy) can potentially snoop on some secure connections and steal email addresses, passwords, and credit card information if that’s what the webpage was sending to and from your computer at the time.

Since the bug has been around for two years, a lot of pages thought to be secure were potentially vulnerable, although that doesn’t necessarily mean anything was broken into.

Major sites that were affected and likely to have been targeted

  1. Google
  2. Yahoo
  3. Facebook
  4. Tumblr
  5. Dropbox


Sites not affected

Most bank websites claim not to have been affected: they don’t use OpenSSL, so this is reasonable. But do check yours.

Two other popular websites are also not affected: AOL, Amazon.

If in doubt, do change your password after ensuring that the bug has been patched.

General advice about passwords

1. Don’t reuse the same passwords on different websites. Use a separate password for each website, so if one is stolen it can’t be used to open any other (think of them as keys to houses, make sure they’re different).

2. Use a password manager like LastPass or KeePass to manage your passwords so you don’t have to remember them.

Author info

Gruff Davies

Despite the very Welsh name, Gruff is actually half French. Nowadays, he's a tech entrepreneur (and some-time novelist) but he used to be a physicist at Imperial College before getting hooked on inventing things. He has a special interest in language learning, speaks five languages to varying degrees of fluency and he often blogs about language learning, science, and technology. As well as co-founding Kwiziq, he is the author the Amazon best-selling SF thriller, The Looking Glass Club and the inventor of the Exertris gaming exercise-bike and Pidgin, a free online tool that makes drawing flow charts and relationship diagrams as quick and easy as describing them in pidgin English.

Comments: 1

Hi Gruff!
Thanks for information. I had heard of this Bug but didn't think I would be affected. Will now be changing my Google, and Yahoo Passwords. Don't use the other three.
Regards Anji