skud: (Default)
skud ([personal profile] skud) wrote2014-04-09 10:21 am

You don’t need to change all your passwords

This is a crosspost from Infotropism. You can comment here or there.

This is probably going to be a wildly unpopular opinion and IDGAF. So many of my non-technical friends are freaking out that I feel the need to provide a bit of reassurance/reality.

First, an analogy.

In 2005 we learned that you can open a Kryptonite U-lock with a ballpoint pen. Everyone freaked out and changed their bike locks ASAP. Remember that?

Now, I wasn’t riding a bike at the time, but I started riding a bike a few years later in San Francisco, and I know how widespread bike theft is there. I used multiple levels of protection for my bike: a good lock, fancy locking posts on the seat and handlebars, and I parked my bike somewhere secure (work, home) about 90% of the time and only locked it up in public for short periods. Everywhere I went I saw sad, dismembered bike frames hanging forlornly from railings, reminding me of the danger. Those were paranoid times, and if I’d been riding in SF in 2005 you can bet I would have been first in line to replace my U-lock.

These days I live in Ballarat, a country town in Victoria, Australia. Few people ride bikes here and even fewer steal them. I happily leave my bike unlocked on friends’ front porches, dump it under a tree while I watch birds on the lake, lean it against the front of a shop just locked to itself while I grab a coffee, or park it outside divey music venues while I attend gigs late at night. I have approximately zero expectation of anything happening to it. If I heard that my bike lock had been compromised, I wouldn’t be in too desperate a hurry to change it.

Here’s the thing: if you are an ordinary Jane or Joe living the Internet equivalent of my cycling life in Ballarat, you don’t need to freak out about this thing.

Here are some websites I use where I’m not going to bother changing my password:

  • The place where I save interesting recipes
  • The one I go to to look at gifs of people in bands
  • That guitar forum
  • The one with the cool jewelry
  • The wiki I edit occasionally
  • The social network I only signed up for out of a sense of obligation but never use

Why? Because a) probably nobody’s going to bother trying to steal the passwords from there, and b) even if they did, so what?

This Heartbleed bug effectively reduces the privacy of an SSL-protected site (one whose URL starts with https://, which will probably show a lock in your browser’s address bar) to that of one without. Would you login to a site without SSL? Do you even know if the site uses SSL? If you’d login to your pet/recipe/knitting/music site anyway — if you’d do it from a coffee shop or airport — if you’d do it from a laptop or tablet or phone doesn’t have a strong password on it — if you don’t use two-factor authentication or don’t know what that means — then basically this won’t matter to you.

(I’m not saying it shouldn’t matter. You should probably set strong passwords and use VPNs and two-factor authentication. Just like you should probably lock your bike up everywhere you go, floss, and get your pap smears on the regular. Right? Right? *crickets*)

So if you’re a regular Jane — not working in IT security, not keeping state secrets, etc — here’s where you really need to change your passwords:

  • Any site you use to login to other sites (eg. Google, Facebook)
  • Any site that gives access to a good chunk of your money with just your password (eg. your bank, PayPal, Amazon)

(To do this: use this site to check if the site in question is affected, then if it’s “all clear” change your password. Don’t bother changing your password on a still-affected site, as that defeats the purpose. Oh, and you should probably change your passwords on those sites semi-regularly anyway, like maybe when you change the batteries in your smoke alarm. Which I just realised I should have done the other day and didn’t. Which tells you everything, really.)

Beyond those couple of key websites, you need to do a little risk assessment. Ask yourself questions like:

  • Has anyone ever heard of this site? Does anyone care? Is it likely to be a target of ominous dudes in balaclavas?
  • If I lost my login to this site, or someone could snoop what I had on that account, what is the worst that could happen?

If your answer is “I’d lose my job” or “I absolutely cannot survive without my extensive collection of Bucky/Steve fanart” then by all means change your password.

If your answer is “Eh, I’d sign up for a new one” or “Wait, even I’d forgotten that site existed” then you can probably stop freaking out quite so much.

DISCLAIMER: I am not an Internet security expert, just a moderately well-informed techhead. Some people, including better-informed ones, will disagree with me. You take this advice at your own risk. La la la what the fuck ever, you’ll most likely be fine.

[personal profile] puzzlement 2014-04-09 12:38 am (UTC)(link)
Also a moderately well-informed techhead but not an infosec expert and I concur. I'll probably also be changing filesharing related passwords (Dropbox) and password management passwords that have at some point been transmitted over the Internet (LastPass).

Other than that, not so much. If nothing else, my password database has a few hundred sites in it. By the time I'm done changing them all, there'll be another Very Serious Bug in encryption software anyway. (They're now roughly a monthly occurence, as I tweeted yesterday I am never writing crypto software.) I believe the thing about how once they're done repainting the Sydney Harbour Bridge they immediately have to start again on the other side is an urban myth, but that.
inkstone: Alex from the Gangsta voice card (Default)

[personal profile] inkstone 2014-04-09 12:51 am (UTC)(link)
Yeah, this was my reaction to this. I was planning to change the passwords to all my financial stuff & email but not much else because eh, the food and manga pics on my tumblr????
st_aurafina: Rainbow DNA (Default)

[personal profile] st_aurafina 2014-04-09 02:20 am (UTC)(link)
This was really helpful - thanks so much. Off to change the important passwords, and let tumblr hang.
lilacsigil: 12 Apostles rocks, text "Rock On" (12 Apostles)

[personal profile] lilacsigil 2014-04-09 02:50 am (UTC)(link)
Thanks, that was helpful! I've changed passwords that involve my money.
niqaeli: cat with arizona flag in the background (Default)

[personal profile] niqaeli 2014-04-09 06:30 am (UTC)(link)
...I'm honestly kind of glad to see someone reasonably informed of a similar mind on this. This is a relevant/insightful take.
niqaeli: cat with arizona flag in the background (Default)

[personal profile] niqaeli 2014-04-09 06:36 am (UTC)(link)
Ha. Indeed! I'm fond of the mouseover, as well.
copracat: marble angel (from episode of Smallville) (stone tears)

[personal profile] copracat 2014-04-09 01:30 pm (UTC)(link)
I got all awwww and completely distracted when it got to attack ships on fire. Ah, formative cinema experiences.
ewen: (Default)

"OMG this is so awful"

[personal profile] ewen 2014-04-10 03:57 am (UTC)(link)
Possibly also relevant is that it was given a memorable name, and a bunch of detail around "the worst that could have happened" right up front, so it pretty rapidly went viral: ie, good marketing. In the face of the fear generated, the "change everything" meme seemed to take hold pretty quickly.


PS: I tend to agree with your advice. The only sites I might go out of my way to change passwords are ones where I'd be extra cautious about where I logged into them ("is this really SSL"? "is this the right site?") anyway. For everything else, they're all one-off random passwords, to unimportant things, so... whatever.
geeksdoitbetter: (Default)

[personal profile] geeksdoitbetter 2014-04-10 01:44 pm (UTC)(link)
i would like to have a lay understanding of infosec

is there a small handful of blogs you'd recommend folks starting to follow?

[personal profile] puzzlement 2014-04-10 10:36 pm (UTC)(link)
Disclaimer: not an infosec expert. And by lay, I don't know if you mean "computer expert but not infosec" or "not computer expert". But, more in the second category, and for the sake of a perhaps imperfect recommendation being better than none at all, I'd suggest:

Reading one of Bruce Schneier's books, probably Secrets & Lies ("Information security expert Bruce Schneier explains what everyone in business needs to know about security in order to survive and be competitive") and if you want a second, Liars & Outliers for his overall philosophy on security versus pragmatism versus trust.

Then (or in advance!) follow his blog, particularly for the entries where he links to writing he's done for non-technical sites.
geeksdoitbetter: (Default)

[personal profile] geeksdoitbetter 2014-04-11 07:29 pm (UTC)(link)
ironed_orchid: pin up girl reading kant (Default)

[personal profile] ironed_orchid 2014-04-09 03:36 am (UTC)(link)
Thanks for this post.

I had sort of assumed this was the correct response, because most of the stuff I do online has no interest to anyone but me and my friends.
niqaeli: cat with arizona flag in the background (Default)

[personal profile] niqaeli 2014-04-09 06:35 am (UTC)(link)
Yeah. I know my infosec practices aren't top of the line and all proper. I mean, I know best practices, but I'm lazy and my actual practices are what they are -- better than many folks, but much worse than they could be. I can't be that fucking fussed over it. I have too many goddamn web-sites I log into to remember different passwords for all of them and most of them are basically irrelevant.

The really important shit I use much better practices, and the rest -- well, I'm not going to lose my job over any of it if something does get compromised, so I'll continue live with the risk for the convenience.

But I live in a shitty neighbourhood and we don't lock the door unless we're out of the house. I don't lock my car, either. I go walking at night to the nearby convenience store when I want some fresh air. All of life's a risk assessment. It'd be better if people actually understood the risks they're taking when they take them, and I am for education on that front, but...

yeah, I'm not going to be changing most of my passwords.
lizbee: A modern and classic depiction of Wonder Woman face each other, faces shocked. Text: OMG! (Comics: OMG!)

[personal profile] lizbee 2014-04-09 06:39 am (UTC)(link)
Okay, this is good to hear. I had decided to let everything sit for a few days anyway and see how it all fell out. (I am, however, hoping that work's IT department is doing at least a little bit of freaking out. Most of the top-level stuff -- ASIO transcripts and the like -- are done offline, but, you know...)

[personal profile] nixwilliams 2014-04-09 07:44 am (UTC)(link)
Thanks, this is useful.

[personal profile] nixwilliams 2014-04-09 07:50 am (UTC)(link)
Out of interest, when I type URLs into the various 'check it' tools, they come back sometimes as OK, sometimes as not OK. Would that mean it's still vulnerable? And also, should we not be logging into sites that are vulnerable - or since it's been a problem for a while is that just like closing the gates after the horses have bolted? (See, I am one of your non programming-savvy friends!)
thorfinn: <user name="seedy_girl"> and <user name="thorfinn"> (Default)

[personal profile] thorfinn 2014-04-10 08:58 am (UTC)(link)
If the site is still returning vulnerable, don't log in (unless it's a site you would log in to if it was not secured at all, as per the OP, in which case, wharves).

If it's just some kind of error message other than "vulnerable to heartbleed", then it's a dunno, probably try another tool and see.

My own PSA: Heartbleed Secure Web Vulnerability post lists three checkers, the last one being quite comprehensive. The one that's linked in this OP is:

If that doesn't work, try: (but that reports a lot of false "maybe"s, so it's not as useful).

If that still doesn't work, for an even more full on SSL test, go here:
Edited 2014-04-10 09:04 (UTC)

[personal profile] nixwilliams 2014-04-12 08:39 am (UTC)(link)
Thank you!
kerrypolka: Contemporary Lois Lane with cellphone (Default)

[personal profile] kerrypolka 2014-04-09 02:00 pm (UTC)(link)
Thank you very much for this, it's interesting and useful.
linaelyn: (Chibi!Lin)

[personal profile] linaelyn 2014-04-09 08:31 pm (UTC)(link)
Thanks for this, most especially the link to the "has your bank/broker fixed it yet?" answers! (Unsurprisingly, my little podunk credit union is still trying to figure out if there's a problem they should bother to address!)

Amusingly, in the past month, I had just done the battery change in the smoke detectors, restocked the water/food in the earthquake kit, and re-upped all the passwords on the financial sites. *sigh* Now I need to figure out a new system of incrementing for my passwords, because if the Bad Guys have slurped three iterations of my password changes, it's not hard to figure out the next one in my series. I probably rely too much on my awkward RL surname being my protection from identity theft.
thorfinn: <user name="seedy_girl"> and <user name="thorfinn"> (Default)

[personal profile] thorfinn 2014-04-10 05:35 am (UTC)(link)
Thanks. I hadn't thought deeply beyond "FFFFUUUU change all the things", but you're right. Admittedly, for me, I *do* use two factor lots of places, don't have non SSL logins to anything, and all that jazz, and I already had a priority list in mind for which of the 300+ sites I was going to check first, but it's definitely worth calling this out specifically.