TIME Security

Heartbleed Bug: Here Are the Passwords You Should Change

While extent of the data security breach caused by the Heartbleed Bug is unclear, it's better to be safe than sorry. The bug likely affected several popular websites. Here are the passwords you'll probably want to change

When it comes to changing your passwords, the Heartbleed Bug is a better-safe-than-sorry bug.

This is not a case of hackers breaking into a bunch of sites and stealing all the sites’ usernames and passwords; this is a vulnerability that allowed hackers to grab relatively small chunks of data as they flowed through sites. If you happened to be entering your username, password or credit card number as someone was making a grab, it’s probably out there now.

You’re playing the odds, in other words — and we don’t exactly know what the odds are. This bug has existed for a couple years but was just recently publicly disclosed, so there’s no telling how extensive the damage may or may not be. Again, you’re better safe than sorry.

Checking the Big Sites

A user over on GitHub has taken the liberty of checking the top 10,000 Alexa-ranked websites to see which ones are (or were) vulnerable to the bug. What’s handy is that the first test was run two days ago, and a second test was run within the past eight hours, so we can see which sites have patched up the vulnerability.

The good news is that the first test returned 630 vulnerable sites, while the second test returned just 178 vulnerable sites — so there’s progress being made as it pertains to patching things up. And the majority of the vulnerable sites on the most recent list aren’t exactly household names. I recognize only TinyURL, The Street and The Daily Caller.

Popular Sites Advocating You to Change Your Password

According to Mashable’s list of popular Heartbleed-afflicted sites, here are some of the big sites where you should change your password:

Google actually claims your password is safe, but it’s using the better-safe-than-sorry argument. Of note, Apple has stayed silent but the GitHub test-runs have shown that Apple’s main site doesn’t use SSL (the type of security protocol that’s affected by this bug). Apple’s online store (store.apple.com) is either fixed or unaffected, according to this Heartbleed testing site. But again: better safe than sorry. Have I mentioned that yet?

Sites That Weren’t Affected

Other big sites that definitely weren’t vulnerable, according to Mashable:

  • LinkedIn
  • Amazon
  • Microsoft (including Hotmail and Outlook)
  • AOL
  • PayPal
  • Evernote

Also good news: it looks like none of the major banking sites Mashable checked were vulnerable.

How to Check If a Site Is Affected

Any time you see the little lock icon up in your address bar, you can use this tool right here…

Test your server for Heartbleed (CVE-2014-0160)

…to check if that particular site is affected or not. Note that if a site is affected, you should not change your password for that site. Wait until the site has been patched up and then change your password. Changing your password before a site’s been fixed only makes your new password vulnerable.

How to Create a Strong Password

As far as the Heartbleed Bug is concerned, the strength of your passwords may not have mattered much, as evidence has suggested that the data grabbed from certain sites revealed unencrypted credentials, but it’s still a good idea to use strong passwords in the case of conventional security breaches.

Here’s a quick video with a popular technique for creating strong passwords:

The Heartbleed Hit List: The Passwords You Need to Change Right Now [Mashable]

Tap to read full story

Your browser is out of date. Please update your browser at http://update.microsoft.com


Dear TIME Reader,

As a regular visitor to TIME.com, we are sure you enjoy all the great journalism created by our editors and reporters. Great journalism has great value, and it costs money to make it. One of the main ways we cover our costs is through advertising.

The use of software that blocks ads limits our ability to provide you with the journalism you enjoy. Consider turning your Ad Blocker off so that we can continue to provide the world class journalism you have become accustomed to.

The TIME Team