Users are being encouraged to change their passwords because of the OpenSSL flaw, but there is no guarantee that sites have been patched.
Speaking to IT Security Guru, Thom Langford, director of the global security office at Sapient, said that advice to change passwords was “utterly pointless” and a knee jerk reaction to advise changing passwords on a compromised system as then the new password could be intercepted.
“You have to wait, it makes it harder and it puts huge amounts of pressure on the providers and you need to have virtually every service provider say to every one of their customers that they have patched it, have reissued the certificates and now please change their password,” he said.
“Or say we are using IIS and are not at risk, however how about changing your password anyway and use it as an education piece? You’ll never get everyone but at least they have discharged their responsibility.”
Langford was reacting to advice being offered by websites which encouraged users to change their passwords, without any suggestion that the issue had been fixed.
“It could be seen as a phishing email and if it doesn’t come back it was a scam and if you confuse people nothing will happen and if you muddy the waters, and this was a huge activity,” he said.
“If I look in my password app, there are 150 odd passwords in there and I am a human being and I change what is most important, and that is a day’s worth of effort there. If you lull them into a false sense of security that is just as bad, phishing scams happen in any crisis.”
Langford was especially praiseworthy of the approach taken by LastPass who had added a website checker for the Heartbleed flaw. “They gave clarity even if they were vulnerable, and because of the way it implemented it, no one got any of the information anyway, but they were still doing it because we take it seriously,” he said.
