Infographic Shows Which Passwords Need to be Changed Because of Heartbleed

dgstorm

Editor in Chief
Staff member
Premium Member
Joined
Dec 30, 2010
Messages
10,991
Reaction score
3,961
Location
Austin, TX
lwg-heartbleed-password-changes.jpg

It's hard to disseminate all the info running rampant across the internet regarding the Heartbleed SSL vulnerability which has been the big media talk over the past week and a half. We mostly stayed away from the story to avoid spreading any "fear-mongering."

Still, that doesn't mean we don't want to offer some useful intel for you guys. We've been holding out so we could wait until much of the initial hype died down and something useful came along. The above infographic is precisely that. The cybersecurity experts at LWG Consulting have put together a handy infographic which gives details on which major websites/web-services we should change our passwords on ASAP. It also shows some websites that we can breathe easier about.

It's possible that this infographic isn't 100% exhaustive, but it should be a great starting reference. Many of the companies who own these websites are currently scrambling to fix the vulnerability. Some of them have already fixed the vulnerability, but the problem has been there for years, so it is best to change your password regardless.

Source: LWG
 

VirtualCLD

Member
Joined
Sep 5, 2010
Messages
84
Reaction score
14
Is it worth changing the password on sites that haven't implemented a fix yet? It would seem that you're still vulnerable until the site has patched OpenSSL and reissued all of its certificates.
 
OP
dgstorm

dgstorm

Editor in Chief
Staff member
Premium Member
Joined
Dec 30, 2010
Messages
10,991
Reaction score
3,961
Location
Austin, TX
You make a very valid point VirtualCLD... it is possible that you will need to change your password again once all of these sites have corrected the vulnerability. It's probably still worth changing it now, and then again later on once that fix happens for all the sites. Some of these sites have already patched the problem. At the very least, if you change your password now, then if some bad guys have your old password stored in a database because of accessing it in the past, they will be wrong.
 

johnomaz

Silver Member
Joined
Jul 12, 2010
Messages
3,187
Reaction score
633
Location
Central Valley, California
Current Phone Model
Google Pixel 2XL
Though I changed my passwords for the sites I'm affected with, the important ones I use a 2 step process for anyways so if someone tried to log in under my account, they would need my unique code that changes every 30 seconds. But did anyways just to be safe.
 

VirtualCLD

Member
Joined
Sep 5, 2010
Messages
84
Reaction score
14
You make a very valid point VirtualCLD... it is possible that you will need to change your password again once all of these sites have corrected the vulnerability. It's probably still worth changing it now, and then again later on once that fix happens for all the sites. Some of these sites have already patched the problem. At the very least, if you change your password now, then if some bad guys have your old password stored in a database because of accessing it in the past, they will be wrong.

You also raise a good point. I think it's time to reconsider a password manager, since I am having trouble remembering all of these different passwords for each site. My only concern is I can't use one at work when I want to access some personal sites and I don't know how secure it would be to have all of these passwords stored together on a remote server. Probably better than the situation I'm in now though.
 
OP
dgstorm

dgstorm

Editor in Chief
Staff member
Premium Member
Joined
Dec 30, 2010
Messages
10,991
Reaction score
3,961
Location
Austin, TX
I've been thinking about a password manager myself too. I use so many different passwords that sometimes I get them confused and have to "hack" myself! lol!
 

johnomaz

Silver Member
Joined
Jul 12, 2010
Messages
3,187
Reaction score
633
Location
Central Valley, California
Current Phone Model
Google Pixel 2XL
Honestly, I don't trust password managers. Its one of those things that you wonder if they are secretly sending your passwords back to themselves.
 
OP
dgstorm

dgstorm

Editor in Chief
Staff member
Premium Member
Joined
Dec 30, 2010
Messages
10,991
Reaction score
3,961
Location
Austin, TX
I've wondered the same thing too. That's probably why I haven't tried one yet. :)
 

BMWBig6

Member
Joined
Aug 4, 2010
Messages
70
Reaction score
0
Thanks for sharing, but is there a bigger version of that image? I checked LWG's site and can't find the report. I can barely read the text in the version hosted here.
 

jpiarull

Active Member
Joined
Sep 3, 2010
Messages
235
Reaction score
66
Location
NJ
Current Phone Model
Moto Z Force Droid
Twitter
jpiarull
I received an email from Norton that has a website vulnerability tool. Tests a webpage to see if it was affected by the virus. I tried numerous ones, including ones that suggest changes. Tool claims those websites were OK, besides the ones unaffected. Obviously you should change passwords quite often, using alphanumeric combos with special characters(if allowed by host-site).

Joseph

Sent from my SCH-I545 using Droid Forums
 

mslaceyrose

Active Member
Joined
Apr 12, 2014
Messages
215
Reaction score
74
Location
Eastern USA
You also raise a good point. I think it's time to reconsider a password manager, since I am having trouble remembering all of these different passwords for each site. My only concern is I can't use one at work when I want to access some personal sites and I don't know how secure it would be to have all of these passwords stored together on a remote server. Probably better than the situation I'm in now though.

I've been thinking about a password manager myself too. I use so many different passwords that sometimes I get them confused and have to "hack" myself! lol!

Honestly, I don't trust password managers. Its one of those things that you wonder if they are secretly sending your passwords back to themselves.
I've never completely trusted password managers either, so I have an Evernote file with all my passwords, but I have them in code, like little riddles, that only I would be able to decipher (yeah, I'm paranoid, lol)

However, with this Heartbleed situation, and after reading the article linked below, I'm going to temporarily use one. According to the article, LastPass, having updated recently to include a feature that will check every one of your stored sites, will tell you which ones have patched the vulnerability and updated certificates. It looks like it makes it really easy. It will say either "Go ahead and change your password" for each site that's been fully patched, or "wait" for ones that have not yet patched. This is important because, as VirtualCLD noted, changing passwords before a site has patched will still leave you vulnerable. (regarding that, though, I think dgstorm's rationale for changing passwords on ALL vulnerable sites now, then changing them again after the site implements the patches, is sound advice)
Worried about Heartbleed? LastPass' Security Check has you covered | ZDNet
 
Top