The Heartbleed bug provides a great reminder to protect against disaster by adopting a strong password, or strengthening the ones you are using. However, until a fix to Heartbleed is in place on the system in use, changing a password provides nothing more than a false sense of security.
Heartbleed is a software flaw in the open source OpenSSL code, a technology used to encrypt two-thirds of all servers on the Internet, the Los Angeles Times estimates. Use of OpenSSI typically shows up in your browser as a small green padlock icon.
In an April 10 advisory, Cisco revealed that it uses Open SSL in multiple products and that Heartbleed could allow a remote hacker to pull memory in 64 kb chunks from a connected server or client, according HealthcareInfoSecurity. Cisco attributes the vulnerability to a missing bounds check in the handling of the TLS heartbeat extension.
Juniper Networks also has posted an alert on its Web site notifying customers that the TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, leaving private keys, usernames, passwords and encrypted content vulnerable.
Codenomicon, the Finland-based security vendor credited with discovering the bug, advises organizations to deploy the fix for the software, Fixed OpenSSLand test and vet critical software components and applications to identify weaknesses.
Once the fix has been implemented, it is time to ask users to change their passwords. A video version of security expert Bruce Schnier’s advice on creating a strong password that is easy to remember can be found on the Time Web site.