Hacker News new | ask | show | jobs
by CanSpice 4451 days ago
Yes. All of them.

Seriously, it's easier to just change all of your passwords than to hunt down a list (that will be incomplete and give you a false sense of security), cross-match against servers you might have an account on, then change their passwords.

Just change them all and be done with it.

The "whether they've been fixed" part is a little tougher, because that lets you know when you should change your password. General sentiment I've been seeing is give it a week for everybody to fix their stuff (even this might be a little long) and then change your passwords. If a given site says either "we weren't affected, here's why" or "we've patched our stuff, we're all good" then you should change your password on that site ASAP.
1 comments
jeff303 4451 days ago
When would be the optimal time to perform these password changes? I am assuming that not every affected site has been patched yet, and it would be pointless to change the password, and log in, before they have fixed the problem.
link
jeff303 4450 days ago
Actually, it turns out that LastPass (which I use) has incorporated most of what's discussed in this sub-thread into its security checker tool, so it automatically tells me which sites need to have passwords changed for them and when.
link
sliverstorm 4451 days ago
Use one of the testers to check if the website is currently vulnerable.
link
ams6110 4451 days ago
And then use your browser's certificate inspector to check the issue date of the certificate. If it's earlier than April 7, 2014, it's still insecure.
link
sliverstorm 4451 days ago
Only if they were impacted by the bug.

It's rather unreasonable to expect sites that know they were not impacted will update their certificate. So unless you want to write off your bank's website for the next year or three until the date expires & they renew it then, (banks seem to have avoided this- suddenly dawdling behind the bleeding edge doesn't look so bad!) scorched-earth policies are a bit much.

Actually I might even say the opposite; if the site is secure and the certificate is older than 4/7/2014, that suggests the site was not impacted. If the certificate is newer than 4/7/2014, that pretty much guarantees the site was impacted. It is possible the site patched openssl and did not renew the cert, but in general people are not going to do one without the other.

link