Poll 2014-04-14 Because of the heartbleed bug, I...
Poll
Because of the heartbleed bug, I...
Reset all my passwords
8 votes (12%)
Generated new SSL private keys
7 votes (10%)
Would generate new SSL keys, if only the CA wouldn't charge me
4 votes (6%)
Was still using the previous version that wasn't vulnerable to heartbleed
10 votes (15%)
Was surprised it wasn't GnuTLS this time
8 votes (12%)
Put my fingers in my ears and chanted La-La-La-La
30 votes (45%)
Reply 7 comments

Followed but taken no action (Score: 1)

by lhsi@pipedot.org on 2014-04-14 10:35 (#12B)

I'm not a server admin so can only wait on hearing from one that I use when/if I should change a password. My bank told me that they were not affected and I did not need to do anything.

Re: Followed but taken no action (Score: 2, Interesting)

by ploling@pipedot.org on 2014-04-14 13:04 (#12E)

Pretty much the same here. I haven't noticed any breaches anywhere either and I find that exceptionally interesting given 1. reports/possible proof it was being exploited, and 2. the severity of the bug.

I know that smell by now, maybe they should just come clean? They could even spin it as having control over what they're doing, hell it might even be true in this case but it's still a horrible idea since it relies on continuous perfection .

Re: Followed but taken no action (Score: 2, Insightful)

by nightsky30@pipedot.org on 2014-04-15 12:43 (#12Q)

Given the breaches we've seen lately, and after going through a few sites on https://lastpass.com/heartbleed/ I'd be wary of believing what they tell you. How can you verify the person you communicated with was indeed educated enough, and had accurate knowledge of the infrastructure to make that statement?

Re: Followed but taken no action (Score: 2, Insightful)

by zocalo@pipedot.org on 2014-04-15 12:53 (#12R)

Selective password changes here too, made much easier by having unique passwords per site already, and increased the password length on a few of them too. Those that use OpenSSL and have data I care about got reset, the rest I just let be for now but will change them if anything unusual happens.

Re: Followed but taken no action (Score: 2, Informative)

by songofthepogo@pipedot.org on 2014-04-16 17:20 (#13G)

Ditto. I went through the list on Mashable ( http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/ ) and changed what needed changing. I've not yet checked other sites for which I have logins that were not in Mashable's list, though I could/should be doing so at either LastPass ( https://lastpass.com/heartbleed/ ) or 1Password ( https://heartbleed.agilebits.com/ ). This is mainly because I'm super lazy, but also because, like you, I've got a unique password for each site. I feel less urgently inclined to change those passwords on sites that are largely unimportant to me. That's possibly the equivalent of "Put my fingers in my ears and chanted La-La-La-La" and, if so, I'll just have my own laziness to blame.

Btw, if anyone's got a good list of sites whose passwords need changing, a la Mashable's but more complete/updated, I'd be much obliged if you posted the link.

Password changes dangerous now (Score: 4, Interesting)

by Anonymous Coward on 2014-04-17 11:26 (#13Q)

Most sites have no new certificates issued (and even if, it would be of little use), so I consider password changes or any login at the moment rather dangerous. It is highly possible that if you change your passwords now, the NSA will get a full set as well.

Re: Password changes dangerous now (Score: 1)

by songofthepogo@pipedot.org on 2014-04-17 16:50 (#13X)

Good point. The sites for which I did create new passwords had issued new certs within the last week or so, but I hadn't really given adequate consideration to the possible ramifications of what might occur were I to create a new password on a site that did not yet have all its ducks in a row.