Heartbleed passwords: to change or not to change?

Some thoughts on the do-you-or-don’t you change your password:

  • Assumptions:
  • Data theft is entirely random- as far as I’m aware, even if the exploit can be automated it retrieves random data from the server. Therefore any given individual may or may not have had data stolen- it would be almost impossible to target an individual;
  • Large targets (e.g. Amazon, Google) are more likely to have the exploit run against them than small targets;


  • Why you shouldn’t change password
  • Any given site not patched (check at https://filippo.io/Heartbleed/), therefore if you change your password for that site it is at risk of being exploited again;
  • It’s being reported that there are a vastly greater number of attacks because of the recent visibility of Heartbleed, therefore your new password has a greater chance of being intercepted;


  • Why you should change password
  • Any given site might be patched (check at https://filippo.io/Heartbleed/);
  • The vast number of attacks mentioned above has its diametric opposite: a vast number of changes means the memory on web servers will be updating a lot, which means any given details should be in memory for a shorter time and may therefore be less susceptible to this exploit;
  • An old password may have been stolen at any point over a 2-year period; therefore if you DON’T change your password, stolen data could still be used to login. A 2 year period is a long time to steal data, given this site- http://blog.cloudflare.com/the-results-of-the-cloudflare-challenge– reports that it took a (benign) hacker just a day to steal private keys from the CloudFlare challenge site;
  • Even if your account has been accessed you might be able to get in- an attacker might not change your password so that they can still get in while you are also simultaneously accessing the site;

I can’t answer any probability questions, but my money is on changing, rather than not changing.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s