heartbleed SSL Bug, Change passwords globally

Sorry if this was posted elsewhere all ready (I did a cursory search), but I thought it was worth sharing.

It's recommended to change your passwords on the following sites due a SSL Bug know as 'Heartbleed'. Especially ones with sensitive payment information.

http://www.cnet.com/uk/how-to/which-sites-have-patched-the-heartbleed-bug/

Damn it. That list says MSN was affected, while another list I saw this morning said Hotmail/Outlook wasn't. Aren't they the same thing? Now I'm thinking I should change every password regardless of what lists are saying.

Oh no! Does this mean I'll need to change my Giant Bomb BBS password?!

Pretty sure they haven't been "the same thing" for a number of years now. It would be really strange if Microsoft used OpenSSL, too.

Guess this is the universe telling me I need a password management program. Anyone have recommendations (Im on PC and Android)

@narujoe93: Keepass is pretty good.

The basic problem is that people are using the same password all over the place. Sure you would have to change the password at some place compromised but if all passwords were unique then the issue is contained.

I feel like I'm being asked to change my password at least once a month now, be it from hackers, bugs, etc. Pretty annoying.

I suppose I dont need to change steam right? Only web ones?

Password management programs didn't protect anything from this bug. It's a vulnerability for data in transit from user to server.

so i need at least 5 random character/number passwords to be protected? that's going to be easy to remember...

I know that, the problem is that I have to change my passwords every freakin month because of stupid shit like this. Im sick of keeping track of my passwords, Im just going to let a program handle it from now on (went with lastpass. keypass seemed too sketchy)

Damnit, Google. It took me forever to memorize my convoluted password.

Anything that uses OpenSSL, which can include non-browser software and hardware devices.

Normally yeah, but the majority of places you have a password were probably affected by this, so you'll need to be changing a ton of passwords anyway. Last pass now checks if sites you have passwords on have updated OpenSSL though, so that makes it pretty convenient to know when to update.

I hate the internet sometimes.

@catsakimbo: AAArrrhg damn it :(

And yes, looks like Steam does use OpenSSL and has patched it: http://www.incgamers.com/2014/04/heartbleed-vulnerabilities-steam-resolved-say-valve

Also Minecraft? I wouldn't think hacking would be a massive concern in that game compared to others

I'm guessing if you use two stage authentication that would at least stop anyone using an account even if they have the password?

Yay for password managers! Switching from one gibberish password to another takes like 2 seconds per site luckily. I'm switching everything just to be safe. After it is confirmed that the bug is fixed on a given site of course.

Yes, as long as they don't have access to the other form of authentication. For stuff like Blizzard's 2-factor, where you have a mobile phone app for the second factor, or Google, where they text you the information for the second factor, you are good. But for stuff like Steam, where they simply email you the second key, it is a bit less secure if your email is compromised. If your email is not compromised then you are fine.

Why would changing your password help? If the problem is that they can listen to the password in transit, then they can listen to a changed password as well.

The exploit has been fixed by most sites and has been for days.

The idea is that you change your password after the bug is fixed, not before, which is why they say to wait until it is fixed for a given site before changing. There's no point changing it before.

Thanks for the heads up on this. I've had to change my password so many times on so many sites already I don't even bother memorizing them anymore, I just slam my face down on the keyboard and go with whatever appears.

I'm not going to discount the potential security threat of this but honestly,this bug has been apparently there for the past two years and in those two years there were no reported incidents of this actually being implemented to steal data. Most major sites have already patched this I think people are overreacting just a LITTLE bit about this.

Of course there were no reports of the exploit being used to steal data, it wasn't discovered until recently. But now it has been discovered and it's out in the wild...you can't really compare the number of incidents last week to the potential number and severity of incidents going forward with servers that don't have the vulnerability fixed.

In some ways, yeah. But the way this bug was disclosed was kind of shitty in my opinion. In the past, people have kinda quietly talked to the big companies a day or two before publishing, but here they just were kinda like "Hey shits broken! Here's how to exploit it!"

So although people didn't know about it for 2 years, they know about it now, so in those 2 days or whatever from publishing to patching, anyone fast enough was definitely able to compromise important stuff, and very few people have it setup to even detect that happening.

So should I change passwords for sites I rarely use/haven't used in a long time after they have been patched? I'm still not entirely sure how the process of stealing information works with this bug.

Lastpass is damn good you guys, makes this so much easier.

EDIT: anyone know if giantbomb is/was vulnerable? The cert they use now is from march 25th.

@mb: Sure, and I'm sure as word broke a large number of hackers moved forward to try to do as much damage as they could but also most major sites are patched now. Yeah, its always good to be sure but as a pure numbers game here I think most people are going to be just fine even if they don't change passwords. I'll keep an eye out for suspicious activity but I'm not bothering to learn new passwords for every single thing I use on the internet. Christ, I forget half the passwords I do have now.

I've never used these password programs so I gotta ask: Doesn't the password program need a password for you to log into your account on it? Doesn't that mean it's as hackable as any other service? If that's true then I wouldn't want all my passwords saved in one place that might get hacked.

But something tells me I'm way off..

It's encrypted on your computer/device using the password, so your password is never uploaded to the internet. Still susceptible to anyone who can get access to your computer through whatever means, but so is pretty much anything.

I've come to the conclusion that if someone tries to steal my identity via internet bullshit, I do not give a fuck. Ill just say 'okay, you win' and move to the Alaskan wilderness.

Edit: also, when everything explodes and we're left to pick up the pieces, this song will be playing

I'm going to change my lastpass password and that's about it. I have most important things set up with two-tier authentication, so no one can access stuff like my email and paypal even if they have access to my passwords. Most other things aren't that important. As long as my emails and payment information is safe, I'm happy.