Operations // Identity & Access Management
4/30/2014
11:00 AM
Dave Kearns
Dave Kearns
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Post-Heartbleed: When Not To Change Your Password

One takeaway from Heartbleed is that conventional wisdom about the need to periodically change passwords is wrong.

Even if you’ve been hiding under a rock or vacationing on Mars you’ve heard about the Heartbleed bug. It wasn’t only prominent in the tech journals and blogs, but was blared forth in the general media. Newspapers, radio, TV, magazines all had screaming headlines urging you to "Change all the passwords!" -- and do it now.

They were, of course, wrong.

Two years ago, when an unencrypted file of usernames and passwords was taken from Yahoo’s website, many of these same general-purpose media outlets were also screaming "Change all the passwords!"

A month before that, when more than 6.5 million hashed user passwords were taken from LinkedIn, the media headlines were (you guessed it): ”Change all the passwords!"

They were mostly wrong in all of these cases.

In the case of LinkedIn, the hashed value of passwords is useful only on that one site -- but without the associated username it’s virtually useless. Still, to correct the problem all that has to happen is for LinkedIn to change the hash factor.

In the case of the Yahoo breach, there were usernames associated with the passwords, and they were in clear text. Speculation was that the file was a backup file acquired by Yahoo along with the purchase of software company Associated Content. Rigorous experimentation showed that none of the username/password combos could be used to login to Yahoo.com. So, no need to change your Yahoo password. If you had the same username/password combo on another site, though, it would be good to change that one.

And that brings us to Heartbleed.
Heartbleed was so named because the vulnerability results from a missing bounds check in the handling of the Transport Layer Security (TLS) Heartbeat extension, within the open-source OpenSSL cryptography library, used by approximately 500,000 secure web servers (close to 20 percent) around the world. These servers were believed to be vulnerable to an attack, which would allow theft of the servers' private keys and users' session cookies and passwords.

Extensive research showed that no attacks had taken place up to the time the patched version of OpenSSL was released. That means no passwords were compromised up to that point. Still, those passwords remained vulnerable until the patch was applied.

But if you changed your password before the patch was applied, then the new password (along with all associated data necessary for the change) was now vulnerable. So, no, you shouldn’t "change all the passwords immediately." But what should you do?

  1. Download the extensions for Chrome and Firefox that check websites’ vulnerability to Heartbleed, which you can find out about in this recent article by Dark Reading’s Kelly Jackson Higgins.
  2. Whenever you use HTTPS to view a website, use the browser tool to see if the site is vulnerable or has been patched (or doesn’t need to be patched).
  3. If it’s vulnerable, Get Out of There -- right away.
  4. If it’s been patched, log in then immediately change your password.

It’s not really difficult, but it does require some discipline on your part. There are many lessons to be learned here, the most important of which is to marshal your information so that you can make an informed decision about security. And never, ever rush off to do something because the blonde newsreader on the local TV news tells you that you have to do it. Seek out information from qualified sources first. I know you do (you’re here at Dark Reading, aren’t you?) but make sure your friends, relatives and co-workers also know.

Conventional wisdom is wrong
The other thing Heartbleed should teach us is that the traditional advice to change passwords periodically is wrong. Consider this: Many conspiracy theorists believe that the NSA was aware of Heartbleed and exploited it for years. That would mean that every time you changed your password on a compromised server the spooks would have another entry for your file. If you were truly conscientious about changing passwords, then the surveillance crew could have 20 or more of your well chosen passwords, which, more than likely, were also used by you at some time or other on secure sites that didn’t use OpenSSL. Changing your password made the NSA’s job easier!

Now, before you get all paranoid, it’s been pointed out that Lavabit, Edward Snowden’s email provider, used the OpenSSL library. If NSA had exploited Heartbleed then they wouldn’t have needed to demand that Lavabit turn over it’s SSL keys. Negative evidence, true, but compelling.

There’s no telling what bugs or exploits will turn up in the future, so rather than urge you to slavishly change passwords every 30-60-90 days, the best advice I can give you is to use different passwords for every site you log into. That way, if anyone is compromised it’s only that one site -- and one account -- that’s vulnerable. 

Dave Kearns is a senior analyst for Kuppinger-Cole, Europe's leading analyst company for identity-focused information security and networking. His columns and books have provided a thorough grounding in the basic philosophies of directory technology, networking, and identity ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/1/2014 | 8:45:33 AM
Re: Change passwords between sites, not over time.
So true, @Dak. When it comes to security, the aphorism  "Don't let the perfect be the enemy of the good" definately applies.
dak3
50%
50%
dak3,
User Rank: Apprentice
4/30/2014 | 10:59:08 PM
Re: Change passwords between sites, not over time.
There is no perfect security, unless you disconnect from the 'net
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/30/2014 | 9:10:08 PM
Re: Change passwords between sites, not over time.
Agreed.

And @Marilyn, to expand on my previous statement, after doing more research the vulnerability lies with Apple's touch print as well. However, the person would need a finger print mold such as with other touch print vulnerabilities so this is not specific to the mobile platforms. Though possible, it is a very detailed and therefore difficult attack vector.
pshanks945
50%
50%
pshanks945,
User Rank: Apprentice
4/30/2014 | 8:34:53 PM
Re: Change passwords between sites, not over time.
If it comes down to having my password stolen or my thumbprint, I'll give up the password everytime.  Never underestimate the abilities of a truly motivated thief, especially if what you're protecting is truly valuable.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/30/2014 | 6:24:06 PM
Re: Change passwords between sites, not over time.
Also, to the end of a thumb print scanner I would be careful. I have the iPhone 5S and use the thumb print but I hear that there lies a security vulnerability within the Galaxy S5 thumbprint function. I'll have more details soon.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/30/2014 | 3:37:56 PM
Re: Change passwords between sites, not over time.
You can still enter the password manually! I had to figure that out when my husband borrowed my phone. No thumbs involved...
ChrisMurphy
50%
50%
ChrisMurphy,
User Rank: Apprentice
4/30/2014 | 3:29:06 PM
Re: Change passwords between sites, not over time.
I would like that. Only problem i can see is I'll often ask my kids to check messages while I'm driving -- I can tell them my password, can't so easily pass them my thumb!  
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/30/2014 | 3:23:22 PM
Re: Change passwords between sites, not over time.
My phone has a thumbprint scanner and I love it! Much better than trying to remember a different password for every site I visit. Three cheers for biometrics.
ChrisMurphy
50%
50%
ChrisMurphy,
User Rank: Apprentice
4/30/2014 | 2:55:43 PM
Re: Change passwords between sites, not over time.
My phone has a 7-digit password, and I have to change it every few months. I'm running out of phone numbers to use.
dak3
50%
50%
dak3,
User Rank: Apprentice
4/30/2014 | 12:55:55 PM
Re: Change passwords between sites, not over time.
Exactly. Tools like LastPass become very useful.
Page 1 / 2   >   >>
More Blogs from Commentary
Infographic: With BYOD, Mobile Is The New Desktop
Security teams have no choice but to embrace the rapid proliferation of BYO devices, apps, and cloud services. To ignore it is to put your head in the sand.
Internet of Things: Security For A World Of Ubiquitous Computing
Endpoint security is hardly dead, and claiming that it is oversimplifies the challenges corporations face now and in the not-very-distant future.
CEO Report Card: Low Grades for Risk Management
Dark Reading's latest community poll shows a stunning lack of confidence in chief execs' commitment to cyber security.
A New Age in Cyber Security: Public Cyberhealth
The cleanup aimed at disrupting GameOver Zeus and CryptoLocker offers an instructive template for managing mass cyber infections.
Passwords & The Future Of Identity: Payment Networks?
The solution to the omnipresent and enduring password problem may be closer than you think.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7392
Published: 2014-07-22
Gitlist allows remote attackers to execute arbitrary commands via shell metacharacters in a file name to Source/.

CVE-2014-2385
Published: 2014-07-22
Multiple cross-site scripting (XSS) vulnerabilities in the web UI in Sophos Anti-Virus for Linux before 9.6.1 allow local users to inject arbitrary web script or HTML via the (1) newListList:ExcludeFileOnExpression, (2) newListList:ExcludeFilesystems, or (3) newListList:ExcludeMountPaths parameter t...

CVE-2014-3518
Published: 2014-07-22
jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to exec...

CVE-2014-3530
Published: 2014-07-22
The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 5.2.0 and 6.2.4, expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact via...

CVE-2014-4326
Published: 2014-07-22
Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in (1) zabbix.rb or (2) nagios_nsca.rb in outputs/.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.