Heartbleed bug: To change or not to change your computer password

Users are unsure as Heartbleed bug lurks and websites tell them little

File picture illustration of the word 'password' pictured through a magnifying glass on a computer screen, taken in Berlin on May 21, 2013. -- FILE PHOTO: REUTERS
File picture illustration of the word 'password' pictured through a magnifying glass on a computer screen, taken in Berlin on May 21, 2013. -- FILE PHOTO: REUTERS

To change or not to change - their passwords, that is.

Many computer users are facing this dilemma following the discovery of the potent Heartbleed, which has opened the door for hackers to enter two-thirds of websites around the world.

Security experts have advised that it be done after an affected website had been patched to get rid of the bug.

But many of the highly popular websites reportedly affected by Heartbleed appear to have left users in the dark as to whether they need to take action.

Google, for instance, said that it fixed the bug early, applying patches to key Google services such as Search, Gmail, YouTube, Wallet, Play, Apps and App Engine.

It announced the move in a blog post on Wednesday and, when contacted, told The Straits Times yesterday: "Google users do not need to change their passwords."

Its failure to inform Gmail account holders infuriates users like Mr Aaron Koh, 37, who said he does not track vendors' blog posts.

"The very least Google could have done is to update users via an e-mail," said the marketing manager.

Agreeing, engineer John Wong, 36, said websites should be proactive and inform users of any vulnerability.

"A lot of websites let users log in via their Google or Facebook accounts," he noted, adding that it was how he would log into book-sharing site Goodreads.

He was among many who learnt of the need to change their usernames and passwords, when accessing sites such as Facebook, Yahoo Mail, GoDaddy, Instagram, Tumblr and Dropbox, from the media.

Websites reportedly affected by Heartbleed include e-mail service providers Gmail and Yahoo Mail, GoDaddy poll management service, social networks Tumblr and Instagram, as well as file-sharing service Dropbox.

The bug, which has been lurking undetected for more than two years, is found in a computer code called OpenSSL.

This code is designed to secure data on websites but the flaw lets hackers pull data, including passwords, from the affected server's working memory.

"This is why usernames and passwords become unsafe, and should be changed after services have been fixed and if the service provider instructs users to change the passwords," said Mr Ari Takanen, chief technology and research officer at Finnish security firm Codenomicon, which helped uncover the bug.

Mr Tan Shong Ye, IT risk and cyber-security leader at consulting firm PricewaterhouseCoopers Singapore, said website operators may still be assessing the potential damage.

It is the reason they have not sent out a notice asking users to change their passwords.

"It may take days to completely patch the security loophole and assess the sensitive information that may be leaked," Mr Tan added.

Dr Calvin Chan, head of the business programme at SIM University's School of Business, has this advice for users: "Play a part in having the discipline to update (your) passwords regularly."


Join ST's WhatsApp Channel and get the latest news and must-reads.