Urgent security update: What you need to know about the Heartbleed internet password bug

The discovery of a major flaw in internet security has prompted several tech firms to urge people to change all their passwords.

By Dave Lancaster |

11:38 10 April 2014

As far as internet security goes, the Heartbleed bug is a major concern while several major tech firms banding together to advise customers to change ALL of their passwords. 

 

It comes after the news that the popular OpenSSL cryptographic software library used to safeguard data such as passwords could be compromised to allow eavesdropping. 

 

Potential hackers can only access little chunks of vulnerable data at a time as it 'bleeds' out but they can build up the beats to create a full beating heart's worth of information. Then fake sites can be created luring users to disclose more sensitive information.

 

There has been no evidence that cybercriminals have actually harvested any data, but it's better to be safe than sorry which is why high level organisations such as Tumblr state "change your passwords everywhere - especially your high-security services like email, file storage and banking".

 

Typically a site using OpenSSL displays a padlock icon in the web browser to let users know  that it is secure. The OpenSSL digital scrambles data so that only the service provider and intended recipients can make sense of the information. 

 

Yahoo!'s Tumblr blogging site confirmed: "The little lock icon we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible." 

 

James Lyne, global head of research at security firm Sophos told MailOnline: "While the fault has now been fixed, providers must apply it manually, so many still are vulnerable.

 

"Worse still, the defect was in the code for over two years before being discovered by security researchers - attackers could have discovered this at any time during that period and retrieved large volumes of data without anyone knowing.

 

"At this point the best thing for consumers to do is to assume their passwords and alike have been leaked. They may not have been, but since it's very hard to actually tell retrospectively, it is better to be safe than sorry."

 

The flaw has been apparent for two years according to Google Security and Codenomicon and research by analytics firm Netcraft found that nearly half a million websites could be affected. 

 

Websites potentially vulnerable to the Heartbleed bug include:

 

Facebook, Twitter, Tumblr, Instagram, Google, Gmail, Lloyds TSB, Nationwide, Santander

 

Sites declared safe from Heartbleed:

 

Bing, Yahoo, Flickr, LastPass, DuckDuck Go, Natwest, GitHub

 

How to beat the Heartbleed bug: 

 

The advice is simple and clear. Confirm that the website you're using has either fixed the flaw or was immune from it and THEN change your password, ensuring that you use a mixture of letters and numbers. A phrase or random selection of letters and numbers is better than just a single word. Never use the same one password for everything. If you struggle keeping track of multiple passwords, it's better to use a trusted password keeper program.

 

For detailed information, visit the Heartbleed site HERE: http://heartbleed.com/

 

Now read our top 25 WORST passwords feature.