The hype: You must change all of your passwords
The reality: You should, but not yet
It's true that the Heartbleed vulnerability has existed for a couple years, and there's a fair chance that your passwords have been exposed or compromised. However, it's pointless to change your password on a vulnerable site before it has confirmed that the service is patched.
Tom Cross, director of security research at Lancope, says passwords were likely only exposed if users logged in to a vulnerable site after the vulnerability was made public. The odds of that are lower than the alarm around Heartbleed might suggest, because only 11 to 17 percent of websites are estimated to have been vulnerable, and most of them rapidly deployed the necessary patch.
The problem here is knowing when a vulnerable site has been fixed. Not all companies are being forthright about remediating the bug.
"Unless your vendors have specifically announced they have patched and reset their certificates, it wouldn't be a bad idea to change your password now and then again in a month," says Andrew Storms, director of DevOps for CloudPassage. "Everyone should remember two important best practices: use unique passwords on each site and change your password on a regular basis."
The real risk is crying wolf
As far as these experts are concerned, more dangerous than the Heartbleed vulnerability itself is the distorted expectations the media has created in its wake.
"Everyone talks about educating users, but this assumption puts the onus on the security industry," says Reguly. "If we cry wolf with every vulnerability, we're doing end users a disservice." Other security issues deserve as much or more concern, Reguly adds. "This is a critical issue that must be fixed, but for the average consumer the latest Flash and IE zero-days still pose a greater risk than Heartbleed."
Sign up for Computerworld eNewsletters.